Home > Blogs > VMware Security & Compliance Blog

VMware Releases Security and Compliance Solution for Docker Containers

As more of VMware’s customers look to run containerized applications, some have raised the question of securing containers in their environments. In partnership with the Center for Internet Security (CIS), Docker and others, VMware has developed a security configuration benchmark for Docker containers that you can download from here.

In all, six parties came together to develop the benchmark -- covering 84 recommendations -- in just 12 weeks. The aim of this security benchmark, like any other hardening guide or security documentation for any other vendor or product, is to highlight configuration parameters and other secure deployment considerations. It is designed as a definitive reference guide for customers wanting to understand how to securely provision containers to Linux OSes in production.

CIS is an independent organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. At CIS, security configuration benchmarks are created using a consensus review process comprised of subject matter experts. The benchmark is a result of collaboration between various industry experts, a team of enthusiastic folks who worked closely to develop and corral a consensus set of guidance as well as leveraging resources such as blog posts, articles, internet resources, and Docker documentation. CIS facilitated the development efforts and guided us throughout the benchmark development process. Each recommendation was thoroughly vetted, tested and endorsed by the consensus team consisting of folks from CIS, VMware, Docker, Cognitive Scale, International Securities Exchange and Rakuten.

Assessing your Dockerized environments using VMware

However, having just a security benchmark is not enough. Customers also need a mechanism to evaluate containerized workloads against the benchmark and provide compliance visibility and reporting. The solution should also be able to assess diverse workloads hosted on heterogeneous Linux distributions.

VMware has developed such a solution within VMware vRealize Configuration Manager. It is designed as a compliance toolkit, and is the FIRST of its kind to assess containerized workloads against the CIS benchmark. The tool provides compliance health status for each Docker container, image, container host, Docker daemon, etc., against each automatable recommendation from CIS benchmark.

vRealize Configuration Manager covers 100% of the automatable recommendations in the benchmark – addressed here in depth - and even some that are not directly automatable. You can get a detailed listing of the rules available in the VMware solution in the product sheet attached here. 

Let’s dive into a comprehensive overview of the solution.

Continue reading

VMSA-2015-0003 (SKIP-TLS)

New VMware security advisory VMSA-2015-0003 (SKIP-TLS)

Today VMware has released the following new security advisory,

VMSA-2015-0003

The advisory documents CVE-2014-6593, which was issued for the incorrect handling of the ChangeCipherSpec in Oracle JRE also known as "SKIP" or "SKIP-TLS". The issue allows a Man-in-the Middle to manipulate the SSL handshake which may result in impersonation of the server or in communication over plaintext between client and server.

We have reviewed CVE-2014-6593 and determined that it is a critical security issue if an application initiates communication over an untrusted network. Because of this, VMware is updating JRE in products that may face the Internet first, followed by updating JRE in products that are typically deployed in a datacenter but don't communicate outside. The advisory will be republished when JRE is updated in VMware products through new patches or product releases.

Customers should review the advisory and direct any question to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

VMware Announces its Membership in SAFECode

VMware is proud to announce it's associate membership in the Software Assurance Forum for Excellence in Code (SAFECode). The forum is exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software and services.

Please see the following CTO blog post by Iain Mulholland for more details about this exciting news.

Changes to Transparent Page Sharing completed and updated VMware Security Advisories

As previously posted (Oct 16Nov 24Dec 4 and Jan 27), VMware has introduced new TPS (Transparent Page Sharing) management options. Today’s ESXi 5.0 patch restricts TPS to individual VMs and disables inter-VM TPS by default unless an administrator chooses to re-enable it. Please see KB 2097593 for full details on the functionality.

Additionally VMware has today updated advisory VMSA-2015-0001.1.

Customers should review the updated security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

VMware Product Security White Paper has been published

A new VMware Product Security White Paper highlighting the various ways VMware minimizes product security risks for it's customers has been published and is available via the VMware security web site:

http://www.vmware.com/security

VMware products and "Ghost", glibc gethostbyname* buffer overflow (CVE-2015-0235)

This Tuesday a buffer overflow in the gethostbyname family of functions ("gethostbyname*") in the widely used glibc library (CVE-2015-0235) was disclosed.  As soon as we became aware of this vulnerability we began investigating.  We regarded it as a significant vulnerabiliy since the original advisory detailed remote code execution in the Exim mail server.

We quickly realized that exploitability of this vulnerability depends on where and how the vulnerable function is invoked.  In particular, if an attacker cannot control the arguments passed to the gethostbyname* functions, then the overflow cannot be triggered.  Suffice it to say, the applicability of this vulnerability to the Exim mail server, cannot be generalized to all software using glibc, or even to all invocations of gethostbyname*.

We have been reviewing the use of glibc and gethostbyname* in our products.  Based on our current analysis, we have not identified any VMware product that is affected by this issue. Many of our products do use a vulnerable version of the glibc library, but we have not found a way to pass untrusted input to gethostbyname*. Our KB on this issue is published here.

We take the security of customers extremely seriously.  Even though no VMware product has been found to be exploitable using this issue, we will update the glibc library in normal upcoming maintenance releases.

New VMware security advisory VMSA-2015-0002.

Today we released a new security advisory, VMSA-2015-0002.

The advisory documents CVE-2014-4632, a certificate validation vulnerability in VMware vSphere Data Protection (VDP).

Customers should review the advisory and direct any question to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

Changes to Transparent Page Sharing (reminder) and new and updated VMware Security Advisories

As we noted earlier on Oct 16, Nov 24 and Dec 4, VMware has introduced new TPS (Transparent Page Sharing) management options. Today’s release of ESXi 5.5 U2d restricts TPS to individual VMs and disables inter-VM TPS by default unless an administrator chooses to re-enable it. Please see KB 2097593 for full details on the functionality.

Additionally VMware has today released the following new and updated advisories:
New
VMSA-2015-0001
Updated
VMSA-2014-0012.1

The new advisory details a privilege escalation (CVE-2014-8370), denial of service issues (CVE-2015-1043, CVE-2015-1044) in Workstation, Fusion and ESXi and updates to third-party libraries in VMware vSphere.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2014-0014

Today VMware has released the following new security advisory:

VMSA-2014-0014

The advisory documents CVE-2014-8372, an information disclosure vulnerability in AirWatch by VMware. AirWatch Cloud has been patched to resolve this issue, On-Premise deployments must be updated.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

New VMware Security Advisory VMSA-2014-0013

Today VMware has released the following new security advisory:

VMSA-2014-0013

The advisory documents CVE-2014-8373, a critical remote privilege escalation vulnerability in vCloud Automation Center (vCAC). It is important to note that the provided patches will temporarily disable the vCAC "Connect (by) Using VMRC" functionality for directly connecting to vCenter Server.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.