Security News > 2022 > February > VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products
VMware on Tuesday patched several high-severity vulnerabilities impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service condition.
CVE-2021-22042 - ESXi settingsd unauthorized access vulnerability.
CVE-2022-22945 - CLI shell injection vulnerability in the NSX Edge appliance component.
CVE-2021-22050 could be weaponized by an adversary with network access to ESXi to create a DoS condition by overwhelming rhttpproxy service with multiple requests.
Last but not least, CVE-2022-22945 could permit an attacker with SSH access to an NSX-Edge appliance to run arbitrary commands on the operating system as root user.
"The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments," VMware noted in a separate FAQ. "Organizations that practice change management using the ITIL definitions of change types would consider this an 'emergency change.'".
News URL
https://thehackernews.com/2022/02/vmware-issues-security-patches-for-high.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-16 | CVE-2022-22945 | OS Command Injection vulnerability in VMWare Cloud Foundation and NSX Data Center VMware NSX Edge contains a CLI shell injection vulnerability. | 7.2 |
| 2022-02-16 | CVE-2021-22050 | Allocation of Resources Without Limits or Throttling vulnerability in VMWare Cloud Foundation and Esxi ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. | 5.0 |
| 2022-02-16 | CVE-2021-22042 | Incorrect Authorization vulnerability in VMWare Cloud Foundation and Esxi VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. | 4.6 |