Home > Blogs > VMware Security & Compliance Blog

Ensure DISA Certificate Compliance using VCM

CPC LogoToday, I show you how you can ensure you comply to DISA mandates to have DoD certificates on each Microsoft Windows machine using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).

For this example, DISA STIG for Windows 8 / 8.1 Version: 1  Release: 6 released on 25 Jul 2014 is taken.

Below are the DISA requirements for certificates:

  • WN08-PK-000001 – The DoD Root Certificate must be installed into the Trusted Root Store
  • WN08-PK-000002 – The External CA Root Certificate must be installed into the Trusted Root Store
  • WN08-PK-000003 – The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed into the Untrusted Certificates Store
  • WN08-PK-000004 – The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store

Continue reading

VMware CP&C releases Major Updates to DISA STIG *NIX Compliance toolkit in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the updated DISA STIG compliance toolkit for UNIX and Linux based environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops). This is a major update release to prior released DISA Compliance Toolkits for UNIX and Linux based environments. The compliance toolkit product data sheet can be found here.

This toolkit contains below DISA STIGs:

  • DISA AIX 6.1 V1R2
  • DISA HP-UX V1R4
  • DISA RH-5 V1R6
  • DISA RH-6 V1R3
  • DISA Solaris 10 V1R6

Continue reading

New VMware Security Advisory VMSA-2014-0007 and updated advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0007
Updated

VMSA-2014-0006.3

The new advisory details a remote code execution vulnerability in vCenter Operations Management Suite (vCOPS). This advisory also documents a workaround for customers that cannot update to the new version of vCOPS.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2014-0006

Today VMware has released the following new security advisory:

VMSA-2014-0006 – Link
VMware product updates address OpenSSL security vulnerabilities

Please sign up to the Security-Announce mailing list to recieve new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware investigating OpenSSL security vulnerabilities

Following the June 5, 2014 disclosure of new OpenSSL security vulnerabilities, we are currently investigating and assessing impact to our products and services as well as our own customer-facing portals.

We will communicate the results of the investigation and related remediation plans in VMware Knowledge Base article 2079783.

PM Update
We have concluded the assessment of the issues and VMware Knowledge Base article 2079783 has been updated.

New VMware Security Advisory VMSA-2014-0005 and updated advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0005
Updated
VMSA-2014-0002.3

The new advisory details a privilege escalation issue in VMware Tools on Windows 8.1. In order to remediate this issue, VMware Guest Tools must be updated in any pre-existing Windows 8.1 Guest Operating System.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Updated VMware Security Advisory VMSA-2014-0002.2

Today VMware has released the following updated security advisory:

VMSA-2014-0002.2

The advisory was updated to document the release of an ESXi 5.1 patch that addresses CVE-2013-5211, “DDoS vulnerability in NTP third party library”. VMware Knowledge Base article 2070193 provides mitigation for this issue and documents when vSphere components are affected.

The ESXi 5.1 patches released today are not related to the OpenSSL Heartbleed issue (ESXi 5.1 and below are not affected by this issue). The product releases and patches remediating the Heartbleed issue have concluded and are all documented in VMware Security Advisory VMSA-2014-0004.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMware among founding members of the Core Infrastructure Initiative

We are happy to announce that VMware is one of the founding members of the Core Infrastructure Initiative. This project hosted by the Linux Foundation will fund open source projects that are critical to core computing and Internet functions. Over time, the project will help make open source software more secure, which will benefit our customers, partners, users, and just about anyone who goes online.

Core Infrastructure Initiative explained
The Core Infrastructure Initiative will fund and support critical elements of the global information infrastructure. Its first beneficiary is OpenSSL, by funding support for its key developers and providing other resources. The goal is to improve its security, to create an external feedback mechanism and to streamline the release process.
Open source software projects that will receive funding will be selected by the Steering Committee of the Core Infrastructure Initiative, made up of supporters, community developers, and industry stakeholders. The committee will approve the funding level and oversee the roadmap and is guided by an advisory board of key open source developers and community members.
The Linux Foundation organized the Core Infrastructure Initiative to guarantee that open source projects remain independent and keep their community-based focus. Read more about the initiative in the Core Infrastructure Initiative FAQ.

VMware and the Core Infrastructure Initiative
VMware and eleven other leading infrastructure companies support the Core Infrastructure Initiative. Our support allows us to contribute directly to the security of open source software that is used in our products.
VMware has a longstanding commitment to working with the open source community, and our developers participate in several open source projects. By participating in the Core Infrastructure Initiative we are strengthening these ties and proactively working on the security of open source software.

New VMware Security Advisory VMSA-2014-0004 (Heartbleed)

Today VMware has released the following new security advisory:

VMSA-2014-0004

This advisory list the VMware product updates and patches that address the OpenSSL Heartbleed issue, CVE-2014-0160. It is only the first release of the advisory with several more to come, as we will release more product updates and patches this week.

In order to remediate the issue, follow these steps:
- Deploy the VMware product update or product patches that address CVE-2014-0160
- Replace certificates
- Reset passwords
The advisory lists product-specific references to installation instructions and certificate management documentation.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2014-0003 and updated advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0003
Updated
VMSA-2014-0002.1

The new advisory details two security vulnerabilities in vSphere Client, CVE-2014-1209 and CVE-2014-1210. In order to remediate these issues, existing vSphere clients will need to be replaced by the newly released versions.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Note:
The new and updated advisories released today are not related to the OpenSSL Heartbleed issue, CVE-2014-0160. VMware is working on remediation of this issue and update releases that address this issue will be documented in a new VMware Security Advisory.
Currently VMware Knowledge Base article 2076225 provides the latest status on VMware products and services and the OpenSSL Heartbleed issue.