Virtualization software maker VMware shipped a security update for its vSphere API yesterday that resolved a denial of service vulnerability in ESX and ESXi, as well as adding a number of open source security updates to the ESX Service Console.
The patch affects the following releases: VMware ESXi 4.1 without patch ESXi410-201211401-SG and VMware ESX 4.1 without patches ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, and ESX410-201211407-SG.
The advisory addresses an issue in VMware’s vSphere API that, if unpatched, could give unauthenticated users the ability to send maliciously crafted API requests and disable the host daemon. A successful exploit would hinder management activities but would not affect virtual machines running on the host.
You can read about the various other vulnerabilities fixed in the shipment, including one that resolves a certificate trust issue caused by last year’s breach a DigiNotar, on VMware’s security page here.
Sebastián Tullo of Core Security Technologies disclosed the bug to VMware.