VMSA-2022-0033:VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability

VMware Tanzu Application Service

0 more products

23653

11 December 2022

11 December 2022

CLOSED

CRITICAL

5.9-9.3

CVE-2022-31705

VMSA-2022-0033
5.9-9.3
2022-12-13
2022-12-13 (Initial Advisory)
CVE-2022-31705
VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)
1. Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation
2. Introduction

A heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion was privately reported to VMware. Updates and workarounds are available to remediate this vulnerability in affected VMware products.  

3. Heap out-of-bounds write vulnerability in EHCI controller (CVE-2022-31705)

Description

VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Resolution

To remediate CVE-2022-31705 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2022-31705 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Acknowledgements

VMware would like to thank the organizers of GeekPwn 2022 and Yuhao Jiang for reporting this issue to us.

Notes

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
8.0
Any
CVE-2022-31705
moderate
None
ESXi
7.0
Any
CVE-2022-31705
moderate
None
Fusion
13.x
OS X
CVE-2022-31705
N/A
N/A
Unaffected
N/A
N/A
Fusion
12.x
OS X
CVE-2022-31705
critical
12.2.5
None
Workstation
17.x
Any
CVE-2022-31705
N/A
N/A
Unaffected
N/A
N/A
Workstation
16.x
Any
CVE-2022-31705
critical
16.2.5
None

Impacted Product Suites that Deploy Response Matrix Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (ESXi)
4.x/3.x
Any
CVE-2022-31705
moderate
None
4. References
5. Change Log

2022-12-13 VMSA-2022-0033
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:  

[email protected] 
[email protected] 

[email protected] 

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.