VMware has confirmed that the source code for its enterprise-level virtualisation platform – ESX hypervisor – has been leaked online and is urging users to apply security patches.
This is the second time the ESX source code has been publicly posted.
In a blog post, Iain Mulholland, director of platform security at VMware said that on Sunday, 4 November, the VMware security team became aware of the public posting of VMware ESX source code dating back to 2004.
A Netherlands-based Twitter account by the name Stun (@57UN) posted on Twitter a link to a downloadable torrent file with the full ESX server kernel code.
“WILD LEAKY LEAK. FULL VMware ESX Server Kernel LEAKED,” the tweet read.
The server kernel forms the core of the operating system (OS) on which VMware ESX runs.
Mulholland warned that more related files could be posted in the future.
“As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment,” he said.
Read more on hypervisor security
- How to apply security patches to ESX and ESXi hosts
- How to patch VMware ESXi
- VMware downplays source code leak
Customers can find the security patch information in VMware’s Knowledge Base resource
“We also recommend customers review our security hardening guides,” Mulholland added.
The security hardening guides provide prescriptive guidance for virtualisation professionals on how to deploy VMware hypervisors in a secure manner. They also provide script examples and other information to help with security automation
In April, the company stated that a single file from the VMware ESX source code has been publicly posted. At that time too, its security team said that there is a possibility that “more files may be posted in the future.”
But VMware downplayed the risk to customers. “The fact that the source code may have been publicly shared does not necessarily mean there is any increased risk to VMware customers,” Mulholland said at that time.
VMware’s Security Response Center is currently investigating the posting of the full source code on Twitter.
Customer environments will be best protected by applying the combination of the most current product updates and the relevant security patches, he said.