VMware has released several patches for the vulnerabilities which were found during the Tianfu Cup security event. Tianfu Cup had taken place in China between 16th and 17th October 2021, the fixes and the details of the vulnerabilities are recently released via a security advisory by VMware. The company states that there is no indication regarding exploitation in the wild.
Five vulnerabilities, four above 8.0 severity score
VMware has published a detailed advisory including solutions and workarounds
According to the security advisory, there were five vulnerabilities found in the event affecting VMware ESXi, VMware Workstation Pro / Player, VMware Fusion Pro / Fusion, and VMware Cloud Foundation. While those vulnerabilities have been marked as high-severity, the combined severity of those flaws is critical, the advisory states. Here is the list of the CVEs:
- CVE-2021-22040 (8.4): Use-after-free vulnerability in XHCI USB controller
- CVE-2021-22041 (8.4): Double-fetch vulnerability in UHCI USB controller
- CVE-2021-22042 (8.2): ESXi settingsd unauthorized access vulnerability
- CVE-2021-22043 (8.2): ESXi settingsd TOCTOU vulnerability
- CVE-2021-22050 (5.3): ESXi slow HTTP POST denial of service vulnerability
VMware urges its users to apply the patches related to their products and versions immediately. Those products, versions, and patches can be found in the official security advisory of VMware linked below:
Click here to see the full documentation of the flaws and download related patches