VMware confrmed that its VMware ESX source code has been stolen and posted online, but the company says its virtualization platform doesn't necessarily pose an increased risk to customers.
VMware said that its security team on April 23, 2012, became aware of the public posting of a single file from the VMware ESX source code. The posted code and associated commentary dates to the 2003 to 2004 timeframe.
"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," according to the blog written by Iain Mulholland, director of the company's Security Response Center.
The code was stolen from a Chinese company called CEIEC (China Electronics Import & Export Corporation) during a March breach, according to a posting on the Kaspersky Threat Post
blog. The code along with internal VMware emails were posted online three days ago.
According to Kaspersky, the breach is linked to a compromise of Web based e-mail accounts at the e-mail hosting company Sina.com. One of these email accounts was apparently used by a CEIEC subsidiary in India and contained the credentials for a range of VPN (Virtual Private Network) accounts that linked into CEIEC's main corporate network. In all, the hack of Sina.com also provided access to a slew of firms in the ASIAPAC region, in addition to CEIEC. Those include China North Industries Corporation (Norinco) WanBao Mining Ltd, Ivanho and PetroVietnam. In all, the hackers claim to have collected more than a Terabyte of data from the companies.
VMware says is has not information about the impact of the breach on customers.
The company said it was leveraging all "external and internal" resources to look into the alleged leak, adding that it would continue to provide updates on the investigation through its Security Response Center.