By, uav-jp 06/12/2022

A fatal vulnerabilities in VMware products- "ESXI", "WORKSTATION", "FUSION" Impact -Window Forest

Update to countermeasures

セキュリティアドバイザリ「VMSA-2022-0004」

VMware製品に致命的な脆弱性 ~「ESXi」「Workstation」「Fusion」に影響 - 窓の杜

On February 15 (local time), the US VMware released the security advertisement "VMSA-2022-0004".It is said that there are multiple vulnerabilities in the company's virtualized products, "Workstation" and "Fusion".

The following five vulnerabilities announced by the company's advisory (in parentheses are serious and base score of CVSS V3).Although individual vulnerability is evaluated as "IMPORTANT" and "MODERATE", the overall serious evaluation is "Critical", as combining a problem may have a significant impact.

Only XHCI USB Controller issues (CVE-2021-22040, CVE-2021-2201) affect "Workstation" and "Fusion".In the worst case, a user with the local administrator authority of the virtual machine may be able to execute the code as a VMX process of the virtual machine running on the host."Workstation" is V16.2.To 1, "Fusion" v12.2.You need an update to 1.

"VMware Workstation" is a tool that allows multiple OSs to be executed as virtual machines (VM) on one PC.Compatible OS is Windows/Linux, and 64 -bit CPU and OS are required for operation."Player" and "Pro" are lined up, and "Player" can be used free of charge only for personal use and commercial use.The commercial license for "Player" is 17,985 yen, and the license for "Pro" is 24,035 yen.The latest version at the time of writing is V16 released in January this year..2.2.