VMware has recently released a set of new updates and patches for a number of its products to help address several security issues that have been identified. These multiple security issues are described in a new security announcement covering VMware VirtualCenter 2.5 Update 3 and patches for ESX and ESXi. There is also an updated VMware security advisory that details information on other VMware products such as Workstation, Player, ACE, Server, and VCB.

VMware released updates for ESX and ESXi as well as an Update 3 patch for VirtualCenter 2.5. One reason why people are flocking to virtualization is because it offers an easy high-availability solution, and this is one area that is being addressed with the latest round of patching. A number of issues have been addressed with VMware High Availability: network compliance checking, HA-DRS clustering and maintenance mode, advanced settings, and user permission issues.

VMware VirtualCenter Update 3 also addresses potential information disclosure and updates to Java JRE packages. The new update resolves an issue where a user's password could be displayed in cleartext. When logging into VirtualCenter Server 2.0 with Virtual Infrastructure Client 2.5, the user password might be displayed if it contains certain special characters. The dialog box displaying the password can appear in front or hidden behind other windows. The patch also updates the JRE package to Version 1.5.0_16, which addresses multiple security issues that existed in the previous version of JRE.

You can read more about these issues in the VirtualCenter 2.5 Update 3 Release Notes.

The latest security advisory also addresses an in-guest privilege escalation on 64-bit guest operating systems in ESX, ESXi, and previously released versions of the company's hosted product line. A flaw in VMware's CPU hardware emulation could allow the virtual CPU to jump to an incorrect memory address. Exploitation of this issue on the guest operating system does not lead to a compromise of the host system but could lead to a privilege escalation on the guest operating system.

And updates to VMware Workstation, Player, ACE, Server, and VCB also address information disclosure, privilege escalation, and other security issues.

One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service attack. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically, but IIS 5.0 does not when its Startup Type is set to Manual.

This release also fixes privilege escalation vulnerabilities in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges.