What risks does VMware face as a result of code leak?
On April 24, 2012, VMware confirmed that code posted by a hacker who claims have stolen the full ESX source code from a Chinese site is authentic and dates back to the 2003 to 2004 timeframe.
Potential security holes
First off, I believe that the risk here is minimal. According to reports, it’s the ESX source code from 2003/2004 that has ben compromised. With the company’s latest release, vSphere 5, ESX is history and has been completely replaced with ESXi, which came on the scene in 2007, well after the reported leak. Of course, if there is significant shared code, that could create a problem.
In this case, there is a chance—a small one, but a chance—that shared code that contains an undiscovered bug could be exploited and damage existing ESXi implementations. Again, this is a minimal risk. In 2003/2004, ESX was still at version 1.5, which was many, many versions ago. However, existing current ESX customers running ESX 3.x or 4.x may still find themselves at risk since these systems would be descendants of the exposed code.
Identification of unattributed open source components
What I see as a bigger risk for VMware comes if the company is found to have made use of open source projects without proper attribution. This would be a public relations nightmare for the company and could turn into a financial issue. Of course, this risk only comes to fruition if those company was actually using unattributed open source software in the then-current version of ESX. If they were on the up and up, everything will be fine.
Loss of confidence in the company
VMware is known for being rock solid. Situations such as this one can serve to undermine customer confidence in the company. While the exploited code may have been obtained through illegal means, that doesn’t always absolve a company of perceived fault. Customers will be looking to the company to take steps to ensure that this kind of situation does not arise again.
When this all blows over, I think we’ll find that the damage to VMware is minimal at worst, but the company does face a PR issue that they must carefully handle.