- VMware fixes three vulnerabilities affecting multiple products and urged users to install the updates as soon as possible.
- The severity of the vulnerabilities is in the critical severity range, with CVSSv3 scores of 9.3 and 9.8.
- The vulnerabilities affect ESXi, Workstation, Fusion, Cloud Foundation, and vRealize Network Insight products.
VMware fixed multiple vulnerabilities with a security update. The update addresses multiple critical severity vulnerabilities that affect various products, including ESXi, Workstation, Fusion, Cloud Foundation, and vRealize Network Insight.
Critical severity
According to the advisory, the vulnerability tracked as CVE-2022-31705, is a heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion. It was privately reported to VMware. Updates and workarounds are available to remediate this vulnerability in affected VMware products. The vulnerability is found in the USB 2.0 controller and has a CVSSv3 score of 9.3.
| Product | Version | Running On | CVSSv3 | Severity | Fixed Version | Workarounds |
|
ESXi
|
8.0
|
Any
|
Moderate
|
|||
|
ESXi
|
7.0
|
Any
|
Moderate
|
|||
|
Fusion
|
13.x
|
OS X
|
N/A
|
N/A
|
Unaffected
|
N/A
|
|
Fusion
|
12.x
|
OS X
|
Critical
|
12.2.5
|
||
|
Workstation
|
17.x
|
Any
|
N/A
|
N/A
|
Unaffected
|
N/A
|
|
Workstation
|
16.x
|
Any
|
Critical
|
16.2.5
|
| Product | Version | Running On | CVSSv3 | Severity | Fixed Version | Workarounds |
|
Cloud Foundation (ESXi)
|
4.x/3.x
|
Any
|
Moderate
|
The other two vulnerabilities are an address command injection and a directory traversal security vulnerabilities tracked as CVE-2022-31702 and CVE-2022-31703, respectively. These vulnerabilities are detected in VMware vRealize Network Insight and they were privately reported to VMware. vRealize Network Insight contains a command injection vulnerability present in the vRNI REST API. Patches and updates are available to remediate these vulnerabilities. The severity of this issue is in the critical severity range with a maximum CVSSv3 base score of 9.8.
| Product | Version | Running On | CVSSv3 | Severity | Fixed Version | Workarounds |
|
VMware vRealize Network Insight (vRNI)
|
6.8.0
|
Any
|
NA
|
N/A
|
Unaffected
|
NA
|
|
VMware vRealize Network Insight (vRNI)
|
6.7
|
Any
|
Critical
|
None
|
||
|
VMware vRealize Network Insight (vRNI)
|
6.6
|
Any
|
Critical
|
None
|
||
|
VMware vRealize Network Insight (vRNI)
|
6.5.x
|
Any
|
Critical
|
None
|
||
|
VMware vRealize Network Insight (vRNI)
|
6.4
|
Any
|
Critical
|
None
|
||
|
VMware vRealize Network Insight (vRNI)
|
6.3
|
Any
|
Critical
|
None
|
||
|
VMware vRealize Network Insight (vRNI)
|
6.2
|
Any
|
Critical
|
None
|