VMware has announced that it has patched the vulnerabilities in its Tools and software. The first security hole, CVE-2019-5522, impacts
VMware Tools 10.x on Windows and it has been described as an out-of-bounds read issue in the vm3dmp driver, which is installed in Windows guest machines. “A local attacker with non-administrative access to a Windows guest with VMware Tools installed may be able to leak kernel information or create a denial of service attack on the same Windows guest machine,” VMware said in its advisory.
The second vulnerability, CVE-2019-5525, is a use-after-free bug affecting the Advanced Linux Sound Architecture (ALSA) backend in Workstation 15.x. VMware says the weakness could allow an attacker with normal user privileges on the guest machine to execute arbitrary code on the Linux host on which Workstation is installed. However, code execution can only be achieved if this flaw is combined with another vulnerability.