March 6, 2024 at 03:15AM
VMware has issued patches for four security flaws affecting ESXi, Workstation, and Fusion, including two critical bugs allowing code execution. The vulnerabilities, including use-after-free bugs in the XHCI USB controller, carry high CVSS scores. CVE-2024-22252 and CVE-2024-22253 were discovered by multiple security researchers and require immediate patching. Temporary workaround includes removing all USB controllers from virtual machines.
Key takeaways from the meeting notes:
– VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws (CVE-2024-22252 and CVE-2024-22253) related to use-after-free bugs in the XHCI USB controller.
– These vulnerabilities have the potential for code execution, with CVSS scores of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.
– Multiple security researchers, including those from Ant Group Light-Year Security Lab and QiAnXin, have been credited with independently discovering and reporting these vulnerabilities.
– The company has also patched two other shortcomings, CVE-2024-22254 and CVE-2024-22255, which carry CVSS scores of 7.9 each.
– VMware has recommended a temporary workaround for customers to remove all USB controllers from the virtual machine until a patch can be deployed.
Let me know if you need further information or assistance.