Resolution is documented in
VMSA-2023-0008 Workaround:
The workaround for CVE-2023-20872 is to remove the CD/DVD device from the virtual machine or configure the virtual machine NOT to use a virtual SCSI controller.
Prerequisites:
Shut down or power off the virtual machine. You cannot change the setting while the virtual machine is powered on or suspended.
1. Remove CD/DVD device from a virtual machine on the impacted products by following the procedure described here:
VMware Workstation:
- To remove hardware from a selected virtual machine, select VM > Settings, click the Hardware tab,
- Select the CD/DVD and click Remove.
VMware Fusion
- Select a virtual machine in the Virtual Machine Library window. Click on "Virtual Machine" menu and click on "Settings".
- Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.
2. Configure the virtual machine NOT to use a virtual SCSI controller on the impacted products by following the procedure described here:
VMware Workstation:
- Select VM > Settings, click the Hardware tab, select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
- You can configure the Bus type
VMware Fusion
- Select a virtual machine in the Virtual Machine Library window. Click on "Virtual Machine" menu and click on "Settings".
- Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
- You can configure the Bus type