Scott's Weblog The weblog of an IT pro specializing in cloud computing, virtualization, and networking, all with an open source view

ESX Security Issues

Some security vulnerabilities in VMware ESX Server have been disclosed in the last few days. Secunia released this advisory on multiple vulnerabilities; the related vulnerabilities include flaws in the bundled versions of OpenSSH, OpenSSL, and Python that come with the service console (which, as you may already know, is a modified form of Red Hat Enterprise Linux).

A patch to address these vulnerabilities is available for the affected versions of ESX from the VMware web site; the links for the ESX 3.0.0 and ESX 3.0.1 patches are below.

Patch for ESX 3.0.0:

http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html

Patch for ESX 3.0.1:

http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html

One of the vulnerabilities mentioned in the Secunia advisory above pertains to incorrect SSL key permissions; more information on that issue can be found in this VMware KB document. This issue also affects some of VMware’s hosted products, such as VMware Server, VMware Player, and VMware Workstation.

In addition, a possible cross-site scripting exploit has been uncovered in Apache, which is used by ESX Server. VMware provides more information on the possible exploit on their web site. In addition, more information is available on the CVE candidate entry.

Metadata and Navigation

Be social and share this post!