VMware fixes dozens of security bugs

VMware fixes dozens of security bugs

Summary: The company has patched flaws, which are mostly found in third-party components, including Oracle's Java Runtime Environment

TOPICS: Security

VMware last week issued patches for virtualisation products including ESXi, ESX Service Console and vCenter, fixing dozens of security bugs largely found in third-party components such as Oracle's Java Runtime Environment.

The security flaws include some that could potentially allow a remote attacker to execute malicious code on a user's system, VMware said in advisories published on Thursday.

Software components suffering from such bugs include the Kerberos network authentication protocol and the Gzip file compression application, both found in the ESX Service Console OS, according to the company.

The version of Kerberos found in the ESX Service Console OS is affected by integer overflows in the AES and RC4 functionality in the crypto library that could allow remote attackers to cause the daemon to crash. A remote attacker could also possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid, according to VMware.

Read this

Know the enemy: today's top 10 security threats

The more you know about the likely avenues of cybercrime attack, the better you can protect yourself against them, says Alan Calder

Read more

Gzip's unlzw function, used to decompress LZW-compressed files, is affected by an integer overflow that could allow a remote attacker to trigger an array index error, VMware said. This could lead the application to crash or allow the execution of malicious code via a specially crafted LZW-compressed file.

Other patches affected flaws in components including newt, nfs-utils, kpartx, libvolume_id, device-mapper-multipath, fipscheck, dbus, ed, OpenSSL, BIND, expat, OpenSSH, ntp and sudo.

The patches included more than 50 for the Java Runtime Environment (JRE), VMware said.

The advisory affecting third-party components in ESXi and ESX Service Console can be found here. The advisory affecting ESX Service Console and vSphere Management Assistant (vMA) can be found here. The advisory affecting JRE bugs in VMware vCenter can be found here.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion