Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/13/2008
03:47 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

VMware Issues Patch For Hypervisor Bug

CEO Paul Maritz apologized to customers and said VMware was determined to get to the bottom of the problem that caused virtual machines to refuse to start.

VMware has issued a patch for the bug that was contained in Update 2 for the ESX 3.5 hypervisor, a bug that caused ESX and ESXi 3.5 virtual machines to refuse to start up Tuesday morning. The company also is working to fix the Update 2 software and reissue it without the flaw.

The ESX 3.5 hypervisor's Update 2 was first released 17 days ago. The new, freely downloadable ESXi 3.5 hypervisor was released 16 days ago. The company said it expect the bug-free software to become available at later today.

A license limitation built into the Update 2 release caused ESX and ESXi 3.5 virtual machines to stop running Tuesday morning. VMware issued a patch for existing Update 2 users at about 9 p.m. Tuesday. It didn't have an estimate of how many customers were using Update 2 or what percentage of the customer base had adopted it. Because the update was issued only recently, it is possible only a fraction of the customer base has tested the update in isolation and then implemented it in production.

Nevertheless, new president and CEO Paul Maritz wrote a letter in which he apologized to customers and said VMware was determined to get to the bottom of the problem. "I want to apologize for the disruption and difficulty this issue may have caused our customers and our partners. Your confidence in VMware is extremely important to us, and we are committed to restoring that confidence fully and quickly."

VMware hoped to have a new version of Update 2 available by noon on Wednesday, it said Tuesday as news of the bug spread. VMware spokesmen at noon revised that timing and said the new version will be ready by 6 p.m. on Wednesday.

"We are doing everything in our power to make sure this doesn't happen again," Maritz' letter, posted on the VMware Web site, said. "VMware prides itself on the quality and reliability of our products, and this incident has prompted a thorough self-examination of how we create and deliver products. ... We have kicked off a comprehensive, in-depth review ... and will quickly make the needed changes."

The problem was created when ESX 3.5 Update 2 was sent to customers with a piece of code in it that caused the license governing use of the code to expire at 12 a.m. on Tuesday, Aug. 12. That wouldn't shut down a continuously running virtual machine, but it if had been decommissioned and stored Monday night, it wouldn't start again Tuesday morning. Likewise, use of the VMotion capability that shuts a virtual machine down on one physical server while starting a carbon copy on another server would also cause the virtual machine to fail.

A virtual machine that was left in suspension mode Monday night could not be brought out suspension on Tuesday morning, VMware officials said.

Maritz explained that the inadvertent code in Update 2 "was designed to ensure that customers are running on the supported, general available version of Update 2," not earlier, unsupported versions of Update 2. But the explanation was still likely to leave users of the free version of the ESX hypervisor, ESXi, disgruntled if they had been sold on its ease of use features.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...