​Hot off the press are a few security patches for a variety of VMware products. Advisories include the products ESXi, Workstation, Fusion, and vCloud Director. As always with security updates, read the release notes, assess your risk, deploy the patches in a lab, test, then gently roll out to production.
The first advisory, VMSA-2019-0005, has a 'critical' severity rating and affects ESXi, Workstation and Fusion. Thankfully the vulnerability ​is limited to those VMs with a virtual USB controller present. Best practices for VMs is to remove any virtual hardware, such as USB controllers, that are not needed by the guest. So depending on the hygiene of your VMs, this may not even be an issue for the majority of all of your ESXi VMs.
However, Workstation and Fusion are also affected and have additional vulnerabilities in the e1000 driver. Unfortunately for Workstation and Fusion users, the USB controller is likely installed by default on your VMs. So the vulnerability is probably more widespread on desktops. However, these are ​should be less critical VMs (can we say test/dev) so the risk of the exploit is lower than in the datacenter. Then there's a VMware Fusion vulnerability regarding​ an unauthenticated API issue.
Finally, is VMSA-2019-0004. This bulletin addresses vCloud Director and a possible remote session hijack vulnerability. vCD is now mostly limited to service providers, so the blast radius for this issue is fairly well contained. The vulnerability is in the tenant and provider portals, and if exploited, could allow a malicious actor to impersonate a currently logged in user.
​Links
​VMSA-2019-0005 (ESXi, Fusion, Workstation)
VMSA-2019-0004 (vCloud Director)
​Summary
​Again, before deciding you need to roll out these patches, fully read the release notes, test, then push to production. If you are Nutanix customer we fully support customers installing ESXi security patches, as long as the version of AOS you are running is compatible with the ESXi version (e.g. v6.0, v6.5, etc.) that you are patching.
