VMware patches critical openwsman security issues

VMware released a patch for a critical openwsman security issue, CVE-2008-2234. Affected are ESX 3.5 and ESXi 3.5 that have openwsman 2.0.0 installed. VMware Security Advisory VMSA-2008-0015 provides details on the openwsman versioning, on the patches and on the possible workaround. The openwsman service is running by default. This vulnerability can be exploited remotely however best practices provided by VMware recommend that the service console be isolated from the VM network.

The other patches for ESX(i) 3.5 released today update libpng, bind, net-snmp, and Perl. These patches and the patches released last month for ESX 3.0.1, 3.0.2, and 3.0.3 are listed in updated advisories VMSA-2008-0010, VMSA-2008-0011, VMSA-2008-0013, and VMSA-2008-0014.

Advisory VMSA-2008-0014 also lists the security issues that are fixed in the new versions of VMware Workstation, Player, ACE, and Server released last month.