CD-ROM Device Emulation Heap-Overflow Vulnerability for ESXi 7

It looks like a patch is pending for ESXi 7 around CVE-2021-22045. Severity is listed as ‘important’ so you should make every effort to patch other systems that are identified in the VMware security advisory.

The bug (CVE-2021-22045) is a high-severity heap-overflow vulnerability carrying a CVSS rating of 7.7 out of 10. Heap overflows are memory issues that can result in data corruption or unexpected behavior by any process that accesses the affected memory area – in some cases resulting in remote code execution (RCE).

If successful though, attackers could compromise the host operating system of the hypervisor. Taking over a hypervisor, which is the highly privileged software that creates and runs VMs and governs how resources are shared among them (such as memory and processing), can give cybercriminals a clear path to accessing any of the data or applications stored in the VMs it controls, and executing code or installing files on those VMs, depending on the security controls that are implemented.

There is a workaround and can be used as a temporary solution. Which requires that all CD-ROM/DVD devices are disabled/disconnected on all running virtual machines.