VMware has fixed critical security bugs in two of its virtualization products that could allow a remote attacker to remotely install malware on a host machine.

The patches, which apply to ESXi and ESX 3.5, fix two buffer overflow bugs that reside in a component known as openwsman. It provides web services management functionality and is enabled by default. The vulnerabilities could be exploited by people without login credentials to the system, VMware warns here.

VMware went on to say the bug can only be exploited if the attacker has access to the service console network. That isn't something VMware advises, but it's a fair bet that some people do it anyway.

The bug has been designated CVE-2008-2234 by the Common Vulnerabilities and Exposures Project. ®

Related stories

• VMware piles up next virtual stack for servers (23 December 2008)
• VMware freezes hiring, gives chilly outlook (22 October 2008)
• CanSecWest How safe is VMware's hypervisor? (27 March 2008)
• VMware opens its products to security apps (28 February 2008)
• VMware vuln exposes the perils of virtualization (25 February 2008)
• VMWare update lances virtual bugs (22 February 2008)
• VMware parades virtualization for the SMB masses (4 December 2007)
• VMware updates take aim at bug swarm (24 September 2007)