VMware Patches vSphere API Security Bug

Virtualisation software vendor VMware has released an update to fix a security issue in its vSphere API.

The update patches a denial-of-service (DoS) vulnerability in ESX and ESXi, and was accompanied by several open source security fixes for the ESX Service Console.

Denial of service

“The VMware vSphere API contains a denial of service vulnerability,” the company explained in an advisory. “This issue allows an unauthenticated user to send a maliciously crafted API request and disable the host daemon. Exploitation of the issue would prevent management activities on the host but any virtual machines running on the host would be unaffected.”

The advisory was issued on 15 November.

The update impacts VMware ESXi 4.1 without patch ESXi410-201211401-SG and VMware ESX 4.1 without patches ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, and ESX410-201211407-SG.

Virtualisation is a prime target for breaches and attacks, especially at the management level, which is the easiest way to exploit a virtualised environment and get the “keys to the kingdom,” said Eric Chiu, president and founder of virtualisation security vendor HyTrust, in a statement.

“This really shows how vulnerabilities can be exploited, and how important it is to secure today’s virtualisation and cloud environments; after all, this is the new [operating system] of the data centre and provides access to the virtual machines, the virtual network and mission critical enterprise applications, and the virtualised storage resources as well,” Chiu said.

Other issues

In addition to the API patch, VMware’s update fixes issues in the ESX Service Console’s expat, python, nspr and nss packages. This includes a patch for the ESX Service Console Netscape Portable Runtime and Network Security Services RPMs to versions nspr-4.9.1.4.el5_8 and nss-3.13.5.4.9834, respectively, to resolve multiple security issues, including a certificate trust issue caused by a fraudulent DigiNotar root certificate.

The update comes after VMware warned customers earlier this month that more source code for its ESX hypervisor technology could become public after more code was leaked by a hacker. The source code dates back to 2004 and is associated with other code leaked on the web in April, VMware Director of Platform Security Iain Mulholland said in a post on the VMware Security and Compliance blog. He did not indicate what risk the current release poses to customers.

“It is possible that more related files will be posted in the future,” Mulholland wrote on 4 November. “We take customer security seriously and have engaged our VMware Security Response Centre to thoroughly investigate. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment.”

Do you know all about UK tech leader ARM Holdings? Take our quiz!

Originally published on eWeek.