VMware releases patches for ESX code leak

By Kevin McLaughlin on May 4, 2012 7:34 AM
Filed under Security

Heightened risk possible.

VMware on Thursday released security patches for products it says could face heightened risk due to last month's ESX server hypervisor source code leak.

The patches address five "critical security issues" in VMware's Workstation, Player, ESXi and ESX products, the vendor said in a security bulletin. All five vulnerabilities could enable an attacker to execute code on the host; two require root or administrator level permissions and two do not.

"In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products," VMware said in a separate blog post.

One of the vulnerabilities, which affects ESX's handling of Network File System (NFS) traffic, could enable a user with access to the network to execute code on the ESXi/ESX host without authentication, VMware said in the bulletin.

"By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected," VMware said in the blog post.

VMware credited Derek Soeder, a security researcher at Ridgeway Internet Security, Sulphur Springs, Texas, with reporting two host memory overwrite vulnerabilities affecting ESX and ESXi.

VMware last week announced that a single file from its ESX server hypervisor source code had been posted online and said more proprietary files could be leaked in the future.

"Hardcore Charlie," the LulzSec-affiliated hacker who posted the VMware ESX source code online on April 8, has vowed to publish 300 MB of the pilfered ESX source code on May 5, so VMware is apparently trying to get out in front of security issues that could arise from such a disclosure.

VMware has been relatively unscathed from a security standpoint and does not have to deal with the flood of security exploits that companies such as Microsoft and Oracle deal with regularly. So far, security experts are impressed with VMware's response to the ESX issue.

"It does seem that this disclosure has rattled VMware a bit. However, their rush to patch is a good sign," said Andrew Plato, president of Anitian Enterprise Security, security solution provider. "They are clearly taking this seriously and communicating with their customers."

"I like the way VMware is handling this," said Robert Germain, vice president of engineering at solution provider Hub Technical Services. "They're being very open and telling customers to make sure they're up to date with products and patches."

This article originally appeared at crn.com

 
Follow us on Facebook and Twitter
 

Copyright © 2014 The Channel Company, LLC. All rights reserved.

VMware releases patches for ESX code leak
 
 
 
 
 
Top Stories
Malcolm Turnbull launches Dimension Data ACT data centre
Scared of cloud? It's just fear of change, says communications minister.
 
Telstra reveals govt cloud launch for 2015
Telco pips Dimension Data launch but scant on details.
 
Data#3 predicts profit U-turn after three years of declines
Can outgoing John Grant turn things around?
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
What would help your business most?


Latest Comments
CRN Magazine

Issue: 333 | November 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.