VMware releases patches for ESX code leak

By Kevin McLaughlin on May 4, 2012 7:34 AM
Filed under Security

Heightened risk possible.

VMware on Thursday released security patches for products it says could face heightened risk due to last month's ESX server hypervisor source code leak.

The patches address five "critical security issues" in VMware's Workstation, Player, ESXi and ESX products, the vendor said in a security bulletin. All five vulnerabilities could enable an attacker to execute code on the host; two require root or administrator level permissions and two do not.

"In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products," VMware said in a separate blog post.

One of the vulnerabilities, which affects ESX's handling of Network File System (NFS) traffic, could enable a user with access to the network to execute code on the ESXi/ESX host without authentication, VMware said in the bulletin.

"By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected," VMware said in the blog post.

VMware credited Derek Soeder, a security researcher at Ridgeway Internet Security, Sulphur Springs, Texas, with reporting two host memory overwrite vulnerabilities affecting ESX and ESXi.

VMware last week announced that a single file from its ESX server hypervisor source code had been posted online and said more proprietary files could be leaked in the future.

"Hardcore Charlie," the LulzSec-affiliated hacker who posted the VMware ESX source code online on April 8, has vowed to publish 300 MB of the pilfered ESX source code on May 5, so VMware is apparently trying to get out in front of security issues that could arise from such a disclosure.

VMware has been relatively unscathed from a security standpoint and does not have to deal with the flood of security exploits that companies such as Microsoft and Oracle deal with regularly. So far, security experts are impressed with VMware's response to the ESX issue.

"It does seem that this disclosure has rattled VMware a bit. However, their rush to patch is a good sign," said Andrew Plato, president of Anitian Enterprise Security, security solution provider. "They are clearly taking this seriously and communicating with their customers."

"I like the way VMware is handling this," said Robert Germain, vice president of engineering at solution provider Hub Technical Services. "They're being very open and telling customers to make sure they're up to date with products and patches."

This article originally appeared at crn.com

Follow us on Facebook and Twitter

Copyright © 2015 The Channel Company, LLC. All rights reserved.


VMware releases patches for ESX code leak
Top Stories
Award winners from the 2015 CRN Fast50
[Photos] See who picked up a prize at the awards last week.
Hills chief: transformation cost us customers, staff, revenue
Will "get back to basics" after tumultuous years.
The red carpet at the 2015 CRN Fast50
[Photos] The nation's best resellers celebrate.
Sign up to receive CRN email bulletins
Was your most important vendor the same in 2015 as in 2014?

Latest Comments
CRN Magazine

Issue: 343 | October 2015

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.