CVE-2021-22045: 
NixOS vulnerability analysis and mitigation

CVE-2021-22045 is a heap-overflow vulnerability discovered in VMware's CD-ROM device emulation affecting multiple VMware products including ESXi (versions 7.0, 6.7, and 6.5), VMware Workstation (16.2.0), and VMware Fusion (12.2.0). The vulnerability was privately reported to VMware by Jaanus Kääp from Clarified Security working with Trend Micro Zero Day Initiative, and was publicly disclosed on January 4, 2022 (VMware Advisory, ZDI Advisory).

The vulnerability is classified as a heap-overflow issue in the CD-ROM device emulation component. It has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. The technical assessment indicates that successful exploitation requires a CD image to be attached to the virtual machine (VMware Advisory).

The vulnerability allows local attackers to escalate privileges on affected installations. When successfully exploited, this vulnerability could enable an attacker to execute arbitrary code in the context of the hypervisor from a virtual machine, potentially compromising the security of the host system (ZDI Advisory).

VMware has released patches for affected products: ESXi 7.0 should upgrade to ESXi70U3c-19193900, ESXi 6.7 to ESXi670-202111101-SG, ESXi 6.5 to ESXi650-202110101-SG, Workstation to version 16.2.0, and Fusion to version 12.2.0. For systems that cannot be immediately patched, VMware recommends disabling CD-ROM/DVD devices of all running virtual machines as a temporary mitigation measure (Security Online).