Severity Rating: HIGH

Software Affected

VMware ESXi versions 7.0 and 8.0

VMware Fusion versions prior to 12.2.5

VMware Workstation versions prior to 16.2.5

VMware Cloud Foundation (ESXi) versions 3.x and 4.x

VMware Workspace ONE Access versions 21.08.0.1 and  21.08.0.0

VMware Workspace ONE Access versions prior to 22.09.1.0

VMware Cloud Foundation (vIDM) versions prior to 3.3.6

Overview

Multiple vulnerabilities have been reported in VMware, which could allow a remote attacker to execute arbitrary code, access sensitive information and bypass security restrictions on the targeted system.

Description

1. Remote Code Execution Vulnerability ( CVE-2022-31700   )

This vulnerability exists in VMware due to insufficient validation of user-supplied input. A remote attacker could exploit this vulnerability by sending a specially crafted request. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the targeted system.

2. Broken Authentication Vulnerability ( CVE-2022-31701   )

This vulnerability exists in VMware due to improper access restrictions to a certain endpoint. A remote attacker could exploit this vulnerability by sending a specially crafted request. Successful exploitation of this vulnerability could allow an attacker to access sensitive information on the targeted system.

3. Heap out-of-bounds write vulnerability ( CVE-2022-31705   )

This vulnerability exists in VMware due to a boundary error within the USB 2.0 controller (EHCI). A local attacker could exploit this vulnerability by guest OS can trigger an out-of-bounds write. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the system.

Solution

Apply appropriate updates as mentioned in VMware Security Advisory:

Vendor Information

VMware

References

VMware

CVE Name

CVE-2022-31700

CVE-2022-31701

CVE-2022-31705