Date: Tue, 23 Aug 2022 20:10:48 +0000 From: VMware Security Response Center <security@...are.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: [SECURITY ADVISORY] open-vm-tools: Local privilege escalation vulnerability (CVE-2022-31676) Local privilege escalation vulnerability in open-vm-tools ================================ VMware security advisory, August 23 2022 - https://www.vmware.com/security/advisories/VMSA-2022-0024.html 1. Impacted Products VMware Tools (open-vm-tools) 2. Introduction VMware Tools was impacted by a local privilege escalation vulnerability. Updates are available to remediate this vulnerability in affected VMware products. 3. Local privilege escalation vulnerability (CVE-2022-31676) Description: VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range<https://www.vmware.com/support/policies/security_response.html> with a maximum CVSSv3 base score of 7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>. Known Attack Vectors: A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. Resolution: To remediate CVE-2022-31676 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds: None Additional Documentation: None Acknowledgements: None Notes: VMware Tools 10.3.25 only applies to the older Linux releases. Response Matrix: VMware Product Version Running On CVE CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Tools 12.x.y, 11.x.y Linux CVE-2022-31676 7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H> Important 12.1.0<https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html> None None VMware Tools 10.x.y Linux CVE-2022-31676 7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H> Important 10.3.25<https://docs.vmware.com/en/VMware-Tools/10.3/rn/VMware-Tools-10325-Release-Notes.html> None None 4. References: Fixed Version(s) and Release Notes: VMware Tools for Linux 12.1.0 Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS1210&productId=1259&rPId=92824 https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html VMware Tools for Linux 10.3.25 Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS10325&productId=1072&rPId=92945 https://docs.vmware.com/en/VMware-Tools/10.3/rn/VMware-Tools-10325-Release-Notes.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676 FIRST CVSSv3 Calculator: CVE-2022-31676: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Upstream fix for CVE-2022-31676: https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/README.md Thanks, Sibi Aravind E VMware Security Response Center
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.