April 30, H Security (International) VMware patches vulnerabilities in ESX 4.1. Virtualization specialist VMware is warning customers about multiple security holes in versions 4.0 and 4.1 of its ESX enterprise-level computer virtualization product. According to the company, the Service Console in ESX 4.1 on unpatched systems can be exploited by a local user in a guest virtual machine to gain escalated privileges, or by a malicious remote user to cause a denial-of-service condition or compromise a victim's system. In its advisory, VMware notes that some of these holes, found in previous versions of the libxml2 XML C parser and toolkit used by the ESX Console Operating System (COS), were closed by updating libxml2 to a newer release. Versions 4.0 and 4.1 of ESX are affected; vCenter, ESXi, and ESX 3.5, as well as hosted products such as VMware Workstation, Player, ACE, and Fusion, are not vulnerable. Patches are available for ESX 4.1 that correct these problems, while patches for version 4.0 are listed as "pending."
Ali Loney, on April 30, 2012