VMware Patches vSphere API Security Bug

Virtualisation software vendor VMware has released an update to fix a security issue in its vSphere API.

The update patches a denial-of-service (DoS) vulnerability in ESX and ESXi, and was accompanied by several open source security fixes for the ESX Service Console.

Denial of service

“The VMware vSphere API contains a denial of service vulnerability,” the company explained in an advisory. “This issue allows an unauthenticated user to send a maliciously crafted API request and disable the host daemon. Exploitation of the issue would prevent management activities on the host but any virtual machines running on the host would be unaffected.”

The advisory was issued on 15 November.

The update impacts VMware ESXi 4.1 without patch ESXi410-201211401-SG and VMware ESX 4.1 without patches ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, and ESX410-201211407-SG.

Virtualisation is a prime target for breaches and attacks, especially at the management level, which is the easiest way to exploit a virtualised environment and get the “keys to the kingdom,” said Eric Chiu, president and founder of virtualisation security vendor HyTrust, in a statement.

“This really shows how vulnerabilities can be exploited, and how important it is to secure today’s virtualisation and cloud environments; after all, this is the new [operating system] of the data centre and provides access to the virtual machines, the virtual network and mission critical enterprise applications, and the virtualised storage resources as well,” Chiu said.

Other issues

In addition to the API patch, VMware’s update fixes issues in the ESX Service Console’s expat, python, nspr and nss packages. This includes a patch for the ESX Service Console Netscape Portable Runtime and Network Security Services RPMs to versions nspr-4.9.1.4.el5_8 and nss-3.13.5.4.9834, respectively, to resolve multiple security issues, including a certificate trust issue caused by a fraudulent DigiNotar root certificate.

The update comes after VMware warned customers earlier this month that more source code for its ESX hypervisor technology could become public after more code was leaked by a hacker. The source code dates back to 2004 and is associated with other code leaked on the web in April, VMware Director of Platform Security Iain Mulholland said in a post on the VMware Security and Compliance blog. He did not indicate what risk the current release poses to customers.

“It is possible that more related files will be posted in the future,” Mulholland wrote on 4 November. “We take customer security seriously and have engaged our VMware Security Response Centre to thoroughly investigate. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment.”

Do you know all about UK tech leader ARM Holdings? Take our quiz!

Originally published on eWeek.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

32 mins ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

18 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

20 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

21 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

22 hours ago