Saturday, October 04, 2008
Today, VMware released a new version of VirtualCenter, VC2.5 Update 3, a new version of Virtual Consolidated Backup, VCB 1.1 Update 1, and patches for ESXi and ESX 3.5. These and the recently released versions of VMware's hosted products and patches for ESX 3.0.1, 3.0.2 and 3.0.3 address several security issues. The issues are described in a new and an updated security advisory published today.
One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system. The other security issues involve password disclosure and an update to JRE.
On a side note, we like to thank everyone that completed our questionnaire on security advisories during the VMworld 2008 Security Lab. Expect a blog post on the results soon
Expect more explanation in a seperate blog.