Data centers

10:08 AM
Mike Fratto
Mike Fratto
Connect Directly
Repost This

VMware's Lost Source Code: Not A Panic Situation

VMware lost some of its ESX source code. Cue the sky-is-falling claims. Don't worry, there's no need to panic.

VMware has confirmed that some of its source code to its ESX Server has been leaked. Cue the dramatic music and breathlessly worded missives claiming the sky is falling and your VMware environment will be secure only if you buy someone's stuff. There's no need to panic. Clearly, having its source code leaked is bad for VMware, but that doesn't mean it's bad for you. If you are using virtualization, you most likely are using VMware. If a security problem is found via the leaked source code, it may affect your current version or it may not. Either way, let's not panic. There are likely going to be other hurdles that an attacker will have to leap over to leverage a vulnerability in a hypervisor or even management system.

Before you freak out (or if you are dealing with someone who is curious, concerned or freaking out over the leaked source code), ask the following:

Are your hypervisors available from outside the data center in an uncontrolled manner?
Put another way, can anyone connect to the hypervisor through HTTP/HTTPS, SSH or Telnet? If the answer is yes, you have done a bad thing and you should be banished from the data center for life and made to answer level-one help desk calls.

Most likely, the answer is no. Why would you make your hypervisor available outside the confines of where it resides? There is no reason to. Sure, you might be able to access vSphere over an IPSec or SSL VPN from Starbucks, but hopefully you have that locked down pretty well. Ideally, you don't even allow that.

The point is that before attackers can do damage, they have to have access to the target. It's pretty unlikely that organizations are putting their bare ESX servers on the Internet or even on the internal network. If you are, you get what you get and you only have one place to point that finger of blame.

Are your applications on VMs running code so buggy that an attacker could break through to the underlying OS?
If the answer is yes, your programmers should be banished from writing any code that will run on a server and made to sling Microsoft VBasic for Office. While bugs and vulnerabilities in code occur, you hopefully have taken the proper steps to mitigate the damage. These can include making sure you have a software development lifecycle that addresses problems; ensuring that you have security checks built into your SDLC; using, where possible, development methods that are less prone to mistakes and services running with minimal privileges and limited access to the OS.

1 of 2
Comment  | 
Print  | 
More Insights
More Blogs from Commentary
Infrastructure Challenge: Build Your Community
Network Computing provides the platform; help us make it your community.
Edge Devices Are The Brains Of The Network
In any type of network, the edge is where all the action takes place. Think of the edge as the brains of the network, while the core is just the dumb muscle.
Fight Software Piracy With SaaS
SaaS makes application deployment easy and effective. It could eliminate software piracy once and for all.
SDN: Waiting For The Trickle-Down Effect
Like server virtualization and 10 Gigabit Ethernet, SDN will eventually become a technology that small and midsized enterprises can use. But it's going to require some new packaging.
IT Certification Exam Success In 4 Steps
There are no shortcuts to obtaining passing scores, but focusing on key fundamentals of proper study and preparation will help you master the art of certification.
Hot Topics
IT Certification Exam Success In 4 Steps
Amy Arnold, CCNP/DP/Voice,  4/22/2014
The Ideal Physical Network
Martin Casado 4/23/2014
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Twitter Feed