VMware Patches One Version

Wednesday, May 2, 2012 @ 11:05 AM gHale

A patch is available for one version of the vulnerable VMware software, while another version is still pending.

VMware is warning customers about multiple security holes in versions 4.0 and 4.1 of its ESX enterprise-level computer virtualization product.

RELATED STORIES
VMware Breached; Code in Wild
One Site can end up a Malicious Hive
Flashback Variant Hits Macs
Attack Vector: Phishing Real or Phony?

The Service Console in ESX 4.1 on unpatched systems can suffer exploitation by a local user in a guest virtual machine to gain escalated privileges, or by a malicious remote user to cause a denial-of-service (DoS) condition or compromise a victim’s system, company officials said.

In its advisory, VMware said some of these holes, found in previous versions of the libxml2 XML C parser and toolkit used by the ESX Console Operating System (COS), will close by updating libxml2 to a newer release.

Versions 4.0 and 4.1 of ESX suffer from the issue; vCenter, ESXi and ESX 3.5 as well as hosted products such as VMware Workstation, Player, ACE and Fusion are not vulnerable.

Patches are available for ESX 4.1 that correct these problems, while patches for version 4.0 are “pending.”