VMware releases patches for ESX code leak

By Kevin McLaughlin on May 4, 2012 7:34 AM
Filed under Security

Heightened risk possible.

VMware on Thursday released security patches for products it says could face heightened risk due to last month's ESX server hypervisor source code leak.

The patches address five "critical security issues" in VMware's Workstation, Player, ESXi and ESX products, the vendor said in a security bulletin. All five vulnerabilities could enable an attacker to execute code on the host; two require root or administrator level permissions and two do not.

"In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products," VMware said in a separate blog post.

One of the vulnerabilities, which affects ESX's handling of Network File System (NFS) traffic, could enable a user with access to the network to execute code on the ESXi/ESX host without authentication, VMware said in the bulletin.

"By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected," VMware said in the blog post.

VMware credited Derek Soeder, a security researcher at Ridgeway Internet Security, Sulphur Springs, Texas, with reporting two host memory overwrite vulnerabilities affecting ESX and ESXi.

VMware last week announced that a single file from its ESX server hypervisor source code had been posted online and said more proprietary files could be leaked in the future.

"Hardcore Charlie," the LulzSec-affiliated hacker who posted the VMware ESX source code online on April 8, has vowed to publish 300 MB of the pilfered ESX source code on May 5, so VMware is apparently trying to get out in front of security issues that could arise from such a disclosure.

VMware has been relatively unscathed from a security standpoint and does not have to deal with the flood of security exploits that companies such as Microsoft and Oracle deal with regularly. So far, security experts are impressed with VMware's response to the ESX issue.

"It does seem that this disclosure has rattled VMware a bit. However, their rush to patch is a good sign," said Andrew Plato, president of Anitian Enterprise Security, security solution provider. "They are clearly taking this seriously and communicating with their customers."

"I like the way VMware is handling this," said Robert Germain, vice president of engineering at solution provider Hub Technical Services. "They're being very open and telling customers to make sure they're up to date with products and patches."

This article originally appeared at crn.com

Follow us on Facebook and Twitter

Copyright © 2015 The Channel Company, LLC. All rights reserved.


VMware releases patches for ESX code leak
Top Stories
AFL star joins Melbourne's Broadband Solutions
Shaun Grigg starts second job at peak of footy career.
Amazon Web Services killing it: revenue up 64%
Cloud vendor also triples operating income.
WestConnex signs national reseller Viatek
Five-year deal with Sydney Motorway Corporation.
Sign up to receive CRN email bulletins
What's the most important factor when partnering with a new vendor?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.