VMware patches vulnerabilities in ESX 4.1
Virtualisation specialist VMware is warning customers about multiple security holes in versions 4.0 and 4.1 of its ESX enterprise-level computer virtualisation product.
According to the company, the Service Console in ESX 4.1 on unpatched systems can be exploited by a local user in a guest virtual machine to gain escalated privileges, or by a malicious remote user to cause a denial-of-service (DoS) condition or compromise a victim's system. In its advisory, VMware notes that some of these holes, found in previous versions of the libxml2 XML C parser and toolkit used by the ESX Console Operating System (COS), have been closed by updating libxml2 to a newer release.
Versions 4.0 and 4.1 of ESX are affected; vCenter, ESXi and ESX 3.5 as well as hosted products such as VMware Workstation, Player, ACE and Fusion are not vulnerable. Patches are available for ESX 4.1 that correct these problems, while patches for version 4.0 are listed as "pending".
Further information about the vulnerabilities can be found in the company's security advisory.
- VMSA-2012-0008 VMware ESX updates to ESX Service Console, security advisory from VMware.