VMWare issues 'critical' ESXi security advisory

VMware has released new ESXi and ESX 3.5 packages to fix a "critical" security issue that allows a remote, unauthenticated attacker to launch harmful code on the host running the hypervisor.

VMWare issues ‘critical’ security advisory

VMware has released new ESXi and ESX 3.5 packages to fix a "critical" security issue that allows a remote, unauthenticated attacker to launch harmful code on the host running the hypervisor.

According to this VMWare advisory, the patches fix two remote buffer overflows in the handling of HTTP basic authentication headers.

  • This vulnerability could potentially be exploited by users without valid login credentials.

The vulnerability exists in the "Openwsman" system management platform which is enabled by default in ESX to implement the Web Services Management protocol (WS-Management).