[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY ADVISORY] open-vm-tools: Local privilege escalation vulnerability (CVE-2022
From: VMware Security Response Center <security () vmware ! com>
Date: 2022-08-23 20:10:48
Message-ID: BYAPR05MB63436604DE6E9F49EAAAD1B1B9709 () BYAPR05MB6343 ! namprd05 ! prod ! outlook ! com
[Download RAW message or body]
Local privilege escalation vulnerability in open-vm-tools
================================
VMware security advisory, August 23 2022 - \
https://www.vmware.com/security/advisories/VMSA-2022-0024.html
1. Impacted Products
VMware Tools (open-vm-tools)
2. Introduction
VMware Tools was impacted by a local privilege escalation vulnerability. Updates are available \
to remediate this vulnerability in affected VMware products.
3. Local privilege escalation vulnerability (CVE-2022-31676)
Description:
VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the \
severity of this issue to be in the Important severity \
range<https://www.vmware.com/support/policies/security_response.html> with a maximum CVSSv3 \
base score of 7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>.
Known Attack Vectors:
A malicious actor with local non-administrative access to the Guest OS can escalate privileges \
as a root user in the virtual machine.
Resolution:
To remediate CVE-2022-31676 apply the patches listed in the 'Fixed Version' column of the \
'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
None
Notes:
VMware Tools 10.3.25 only applies to the older Linux releases.
Response Matrix:
VMware Product
Version
Running On
CVE
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware Tools
12.x.y, 11.x.y
Linux
CVE-2022-31676
7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Important
12.1.0<https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html>
None
None
VMware Tools
10.x.y
Linux
CVE-2022-31676
7.0<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Important
10.3.25<https://docs.vmware.com/en/VMware-Tools/10.3/rn/VMware-Tools-10325-Release-Notes.html>
None
None
4. References:
Fixed Version(s) and Release Notes:
VMware Tools for Linux 12.1.0
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS1210&productId=1259&rPId=92824
https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html
VMware Tools for Linux 10.3.25
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VMTOOLS10325&productId=1072&rPId=92945
https://docs.vmware.com/en/VMware-Tools/10.3/rn/VMware-Tools-10325-Release-Notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
FIRST CVSSv3 Calculator:
CVE-2022-31676: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Upstream fix for CVE-2022-31676: \
https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/README.md
Thanks,
Sibi Aravind E
VMware Security Response Center
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic