Organizations running version 5.1 of VMware's vCenter Server Appliance (vCSA) on Linux should be aware of two other sets of vulnerabilities. The first is a remote code execution flaw that enables an attacker with stolen credentials to run existing files as root. The second vulnerability is found within the Virtual Appliance Management Interface (VAMI), where an authenticated remote attacker is allowed to upload files to an arbitrary location thereby creating new files or overwriting existing files. According to the VMware advisory, replacing certain files could result in a DoS condition.
Certain versions of VMware's ESX and ESXi hypervisors (4.0, 4.1 and 5.0) are also affected. According to VMware, there is a flaw in the hostd-vmdb that could allow an attacker to cause a DoS condition. In order to exploit this vulnerability, an attacker would need to intercept and modify the management traffic.
The advisory also identified a session fixation vulnerability in the vSphere Web Client Server through which an attacker could gain elevated privileges within the environment. However, exploiting this flaw may not prove easy as it requires some knowledge of the target user's session. According to VMware, an attacker would have to know a valid session ID of an already authenticated user.
In either instance, VMware said users can reduce the likelihood of these vulnerabilities from causing a problem by running vSphere components in an isolated management network to ensure that traffic does not get intercepted.
VMware also updated a number of third-party libraries, such as OpenSSL, across several of its product lines, including vCenter Server, ESX, and ESXi in order to resolve multiple security issues.
"These recent VMware patches underscore the critical nature of management in virtual infrastructure," said Eric Chiu, president and cofounder of HyTrust. "Without secure management, bad things can happen -- denial of service, breaches and data center disasters."
In some ways, virtualization has given some users a false sense of security. But that shouldn't be the case. As virtualization and cloud computing become the new top-level OS within the data center, the hypervisor is becoming a more attractive target for breaches and attacks.
Chiu went on to say, "It's critical to have comprehensive security for virtual infrastructure management to enforce fine-grain access controls over every action, including the NSA's 'two-man' rule requirement as well as role-based monitoring to detect potential threats in the environment."
It's also important to remember that in a physical environment, hackers have to concentrate on hacking individual servers or individual applications to cause chaos. But in a virtualized environment, a hacker can sometimes get away with entry through a single point and gain access to everything.
If VMware releases a patch or an update marked as "critical," don't blink -- take the security warning seriously and figure out how to best implement the fix. VMware customers shouldn't take any chances with their virtualized infrastructures. When VMware security advisories hit your inbox, don't skip over them; instead, read them and react accordingly.
This article, "VMware security advisories warn of multiple ESX, vCenter, and vSphere vulnerabilities," was originally published at InfoWorld.com. Follow the latest developments in virtualization and cloud computing at InfoWorld.com.