Virtualization Technology News and Information
Article
RSS
Heise Security Reports on Security Updates from VMware

Virtualisation solution vendor VMware has released updates for its ESX Server and VirtualCenter products. These fix multiple vulnerabilities. Versions 3.0.1 and 3.0.2 of ESX Server include a buffer overflow in the OpenPegasus CIM Management Server that can be exploited by an attacker to remotely inject code and execute it with root privileges. According to the report, the bug is in the PAMBasicAuthenticator::PAMCallback() function that performs authentication using pluggable authentication modules (PAM). ESX Server 3.5 and ESX Server 3i are not affected. The vendor recommends that users of version 2.5 switch to a bug-fixed version 3.0.1 or higher.

VMware is not alone in being affected by the problem in OpenPegasus versions 2.7 and earlier. Other vendors such as Red Hat are also releasing new OpenPegasus packages. OpenPegasus is a tool for Web-Based Enterprise Management (WBEM) and is intended to simplify monitoring and configuration of various remote resources.

The VMware updates also fix vulnerabilities in the ESX Server service console package, which includes Samba, Perl, OpenSSL and util-linux. Only the vulnerability in Samba is critical. It can be exploited by means of crafted packets to inject code via the LAN and execute it with the server's privileges.

Finally, the updates fix a few older vulnerabilities in software included with VirtualCenter Management Server 2 and ESX Server 3.0.1 and 3.0.2. This software includes the Tomcat server, versions 5.5.17 to 5.5.25 of which contain a number of vulnerabilities. In addition, the Java runtime environment (JRE) has been updated to fix some vulnerabilities.

Further details and links to the updates can be found in the vendor's original security advisory.

See also:

Read the original from Heise, here.

Published Tuesday, January 08, 2008 6:01 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2008>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
272829303112
3456789