Today, I show you how you can ensure you comply to DISA mandates to have DoD certificates on each Microsoft Windows machine using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).
The VMware Center for Policy & Compliance (CP&C) is pleased to announce the updated DISA STIG compliance toolkit for UNIX and Linux based environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops). This is a major update release to prior released DISA Compliance Toolkits for UNIX and Linux based environments. The compliance toolkit product data sheet can be found here.
The new advisory details a remote code execution vulnerability in vCenter Operations Management Suite (vCOPS). This advisory also documents a workaround for customers that cannot update to the new version of vCOPS.
Following the June 5, 2014 disclosure of new OpenSSL security vulnerabilities, we are currently investigating and assessing impact to our products and services as well as our own customer-facing portals.
The new advisory details a privilege escalation issue in VMware Tools on Windows 8.1. In order to remediate this issue, VMware Guest Tools must be updated in any pre-existing Windows 8.1 Guest Operating System.
The advisory was updated to document the release of an ESXi 5.1 patch that addresses CVE-2013-5211, “DDoS vulnerability in NTP third party library”. VMware Knowledge Base article 2070193 provides mitigation for this issue and documents when vSphere components are affected.
We are happy to announce that VMware is one of the founding members of the Core Infrastructure Initiative. This project hosted by the Linux Foundation will fund open source projects that are critical to core computing and Internet functions. Over time, the project will help make open source software more secure, which will benefit our customers, partners, users, and just about anyone who goes online.
Core Infrastructure Initiative explained The Core Infrastructure Initiative will fund and support critical elements of the global information infrastructure. Its first beneficiary is OpenSSL, by funding support for its key developers and providing other resources. The goal is to improve its security, to create an external feedback mechanism and to streamline the release process.
Open source software projects that will receive funding will be selected by the Steering Committee of the Core Infrastructure Initiative, made up of supporters, community developers, and industry stakeholders. The committee will approve the funding level and oversee the roadmap and is guided by an advisory board of key open source developers and community members.
The Linux Foundation organized the Core Infrastructure Initiative to guarantee that open source projects remain independent and keep their community-based focus. Read more about the initiative in the Core Infrastructure Initiative FAQ.
VMware and the Core Infrastructure Initiative VMware and eleven other leading infrastructure companies support the Core Infrastructure Initiative. Our support allows us to contribute directly to the security of open source software that is used in our products.
VMware has a longstanding commitment to working with the open source community, and our developers participate in several open source projects. By participating in the Core Infrastructure Initiative we are strengthening these ties and proactively working on the security of open source software.
This advisory list the VMware product updates and patches that address the OpenSSL Heartbleed issue, CVE-2014-0160. It is only the first release of the advisory with several more to come, as we will release more product updates and patches this week.
In order to remediate the issue, follow these steps: - Deploy the VMware product update or product patches that address CVE-2014-0160 - Replace certificates - Reset passwords
The advisory lists product-specific references to installation instructions and certificate management documentation.
Customers should review the security advisory and direct any questions to VMware Support.
The new advisory details two security vulnerabilities in vSphere Client, CVE-2014-1209 and CVE-2014-1210. In order to remediate these issues, existing vSphere clients will need to be replaced by the newly released versions.
Customers should review the security advisories and direct any questions to VMware Support.
The new and updated advisories released today are not related to the OpenSSL Heartbleed issue, CVE-2014-0160. VMware is working on remediation of this issue and update releases that address this issue will be documented in a new VMware Security Advisory.
Currently VMware Knowledge Base article 2076225 provides the latest status on VMware products and services and the OpenSSL Heartbleed issue.