VMware Issues Security Update for vSphere API DoS Flaw
Virtualization vendor VMware released a patch earlier this month to repair a denial-of-service (DOS) vulnerability in its vSphere API.
The flaw, if taken advantage of by attackers, could stop a host from accessing the Web service.
"This issue allows an unauthenticated user to send a maliciously crafted API request and disable the host daemon," wrote VMware in a security advisory. "Exploitation of the issue would prevent management activities on the host but any virtual machines running on the host would be unaffected."According to VMware, the update should be applied to VMware ESXi 4.1 without patch ESXi410-201211401-SG, VMware ESX 4.1 without patches ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG and ESX410-201211407-SG.
The update, which was made available on Nov. 15, doesn't appear to be related to a leaked code issue that VMware warned the public about earlier in the month:
"Today, Nov. 4, 2012, our security team became aware of the public posting of VMware ESX source code dating back to 2004," wrote VMware in a blog post. "This source code is related to the source code posted publicly on April 23, 2012. It is possible that more related files will be posted in the future. We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate."
However, it is recommended that all vSphere API users should patch to the latest version in case of issues with the leaked code do arise in the future.