top of page

Several VMware Products Affected by Heap-overflow Vulnerability.

A heap overflow vulnerability has just been discovered in many VMware products, and it has been assigned the identifier CVE-2021-22045.

This heap overflow vulnerability affects the following VMware products:

  • VMware ESXi

  • VMware Workstation

  • VMware Fusion

  • VMware Cloud Foundation

However, VMware has already addressed this security flaw with the release of: -

  • ESXi670-202111101-SG

  • ESXi650-202110101-SG

  • Workstation 16.2.0

  • Fusion 12.2.0

About the Vulnerability:

  • CVE ID: CVE-2021-22045

  • Advisory ID: VMSA-2022-0001

  • CVSSv3 Range: 7.7

  • Issue Date: 2022-01-04

  • Updated On: 2022-01-04 (Initial Advisory)

  • Synopsis: VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)

This heap-overflow vulnerability has been discovered in VMware Workstation, Fusion, and ESXi CD-ROM device emulation. So, at this time, an attacker with access to a virtual machine with CD-ROM device emulation may exploit this security issue and execute arbitrary code on the hypervisor.


VMware has released remediation for this security problem, which is detailed below:

  • First of all, using the vSphere Web Client log in to a vCenter Server system.

  • Then you have to right-click the virtual machine and click Edit Settings.

  • Now, select the CD/DVD drive.

  • After that, uncheck the “Connected” and “Connect at power on.”

  • Now you have to remove the ISOs that are attached.

In this section, we discussed the commands used in Powercli to retrieve a list of virtual machines that have a CD-ROM/DVD attached, as well as the command to remove and detach an associated CD-ROM/DVD device.

For getting the list of virtual machines:-

  • Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent

To remove an attached CD-ROM/DVD device:-

  • Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Set-CDDrive -NoMedia -confirm:$false

Apart from this, the firm has affirmed that once the upgrade is complete that is recommended there is no requirement to implement the workaround provided.

Source :-

13 views0 comments


bottom of page