VMware Releases Expedited Patches For ESX Source Code Leak


VMware on Thursday released security patches for products it says could face heightened risk due to last month's ESX server hypervisor source code leak.

The patches address five "critical security issues" in VMware's Workstation, Player, ESXi and ESX products, the Palo Alto, Calif.-based vendor said in a security bulletin. All five vulnerabilities could enable an attacker to execute code on the host; two require root or administrator level permissions and two do not.

"In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products," VMware said in a separate blog post.

One of the vulnerabilities, which affects ESX's handling of Network File System (NFS) traffic, could enable a user with access to the network to execute code on the ESXi/ESX host without authentication, VMware said in the bulletin.

"By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected," VMware said in the blog post.

VMware credited Derek Soeder, a security researcher at Ridgeway Internet Security, Sulphur Springs, Texas, with reporting two host memory overwrite vulnerabilities affecting ESX and ESXi.

VMware last week announced that a single file from its ESX server hypervisor source code had been posted online and said more proprietary files could be leaked in the future.

"Hardcore Charlie," the LulzSec-affiliated hacker who posted the VMware ESX source code online on April 8, has vowed to publish 300 MB of the pilfered ESX source code on May 5, so VMware is apparently trying to get out in front of security issues that could arise from such a disclosure.

VMware has been relatively unscathed from a security standpoint and does not have to deal with the flood of security exploits that companies such as Microsoft and Oracle deal with regularly. So far, security experts are impressed with VMware's response to the ESX issue.

"It does seem that this disclosure has rattled VMware a bit. However, their rush to patch is a good sign," said Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security solution provider. "They are clearly taking this seriously and communicating with their customers."

"I like the way VMware is handling this," said Robert Germain, vice president of engineering at Hub Technical Services, a South Easton, Mass.-based solution provider. "They're being very open and telling customers to make sure they're up to date with products and patches."