VMware Patches vSphere API Security Bug

Virtualisation software vendor VMware has released an update to fix a security issue in its vSphere API.

The update patches a denial-of-service (DoS) vulnerability in ESX and ESXi, and was accompanied by several open source security fixes for the ESX Service Console.

Denial of service

“The VMware vSphere API contains a denial of service vulnerability,” the company explained in an advisory. “This issue allows an unauthenticated user to send a maliciously crafted API request and disable the host daemon. Exploitation of the issue would prevent management activities on the host but any virtual machines running on the host would be unaffected.”

The advisory was issued on 15 November.

The update impacts VMware ESXi 4.1 without patch ESXi410-201211401-SG and VMware ESX 4.1 without patches ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, and ESX410-201211407-SG.

Virtualisation is a prime target for breaches and attacks, especially at the management level, which is the easiest way to exploit a virtualised environment and get the “keys to the kingdom,” said Eric Chiu, president and founder of virtualisation security vendor HyTrust, in a statement.

“This really shows how vulnerabilities can be exploited, and how important it is to secure today’s virtualisation and cloud environments; after all, this is the new [operating system] of the data centre and provides access to the virtual machines, the virtual network and mission critical enterprise applications, and the virtualised storage resources as well,” Chiu said.

Other issues

In addition to the API patch, VMware’s update fixes issues in the ESX Service Console’s expat, python, nspr and nss packages. This includes a patch for the ESX Service Console Netscape Portable Runtime and Network Security Services RPMs to versions nspr-4.9.1.4.el5_8 and nss-3.13.5.4.9834, respectively, to resolve multiple security issues, including a certificate trust issue caused by a fraudulent DigiNotar root certificate.

The update comes after VMware warned customers earlier this month that more source code for its ESX hypervisor technology could become public after more code was leaked by a hacker. The source code dates back to 2004 and is associated with other code leaked on the web in April, VMware Director of Platform Security Iain Mulholland said in a post on the VMware Security and Compliance blog. He did not indicate what risk the current release poses to customers.

“It is possible that more related files will be posted in the future,” Mulholland wrote on 4 November. “We take customer security seriously and have engaged our VMware Security Response Centre to thoroughly investigate. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment.”

Do you know all about UK tech leader ARM Holdings? Take our quiz!

Originally published on eWeek.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

19 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

20 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

21 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago