Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2014-0014

Today VMware has released the following new security advisory:

VMSA-2014-0014

The advisory documents CVE-2014-8372, an information disclosure vulnerability in AirWatch by VMware. AirWatch Cloud has been patched to resolve this issue, On-Premise deployments must be updated.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

New VMware Security Advisory VMSA-2014-0013

Today VMware has released the following new security advisory:

VMSA-2014-0013

The advisory documents CVE-2014-8373, a critical remote privilege escalation vulnerability in vCloud Automation Center (vCAC). It is important to note that the provided patches will temporarily disable the vCAC “Connect (by) Using VMRC” functionality for directly connecting to vCenter Server.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Changes to Transparent Page Sharing reminder and new and updated VMware Security Advisories

As previously noted (Oct 16 and Nov 24) VMware has introduced new TPS (Transparent Page Sharing) management options that give administrators more granular control over which Virtual Machines have the potential to share duplicate pages of memory with each other. The previous ESXi patch releases incorporated the additional functionality but did not change the default behavior. Todays update of ESXi 5.1 is the first release that restricts TPS to individual VMs and disables inter-VM TPS by default unless an administrator chooses to re-enable it. Please see KB 2097593 for full details on the functionality.

Additionally VMware has today released the following new and updated advisories:
New
VMSA-2014-0012 

Updated
VMSA-2014-0002.4
VMSA-2014-0008.2

The new advisory details the fix of a Cross Site Scripting issue (CVE-2014-3797), a certificate validation issue (CVE-2014-8371) and updates to third-party libraries in VMware vSphere.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Inter-VM Transparent Page Sharing ESXi default changing (reminder)

The additional Transparent Page Sharing (TPS) management capabilities that we discussed in our blog post of October 16 have been out for about a month for ESXi 5.1 and ESXi 5.5. The same capabilities for ESXi 5.0 will follow next month.

While the recent ESXi patches do not change any TPS setting, the upcoming ESXi Update/patch releases planned for 2014 and Q1 of 2015 will. As we explained in our previous TPS post, the default setting for inter-VM TPS will be such that TPS among virtual machines will no longer be enabled by default. Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan accordingly.

Also we would like to take the opportunity to mention that the capability of inter-VM TPS is not removed from ESXi and that it can be re-enabled either system wide or for groups of VMs by using the new salting mechanism (see KB 2091682).

VMware CP&C releases Major Updates to DISA STIG Windows Compliance toolkit in VCM!

CPC Logo

The VMware Center for Policy & Compliance (CP&C) is pleased to announce the updated DISA STIG compliance toolkit for Windows based environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vRealize Operations (vR Ops). This is a major update release to prior released DISA Compliance Toolkits for Windows based environments. The compliance toolkit product data sheet can be found here.

This toolkit contains below DISA STIGs:

  • Windows Server 2012 / R2 – DC and MS – STIG Version V1R4
  • Windows Server 2008 R2 – DC and MS – STIG Version V1R12
  • Windows Server 2008 – DC and MS – STIG Version V6R1.26
  • Windows Server 2003 / R2 – DC and MS – STIG Version V6R1.33
  • Windows 7 – STIG Version V1R16
  • Windows 8 / 8.1 – STIG Version V1R6

DC = Domain Controllers
MS = Member Servers
Continue reading

New VMware Security Advisory VMSA-2014-0011

Today VMware has released the following new security advisory:

VMSA-2014-0011

The advisory documents a critical information disclosure vulnerability, CVE-2014-4624, which has been addressed in vSphere Data Protection 5.5.x last week.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Introducing VMware’s vRealize Air Compliance (vRAC)

Hola Peeps,
It is with great pleasure that I introduce our latest and greatest Compliance solution from VMware, vRealize Air Compliance!
vRAC gives you event driven compliance checks of your virtual infrastructure and tells you WHO made a non compliant change and when it occurred in near realtime! (As fast as the Seahawk’s defense making Peyton Manning choke in another Super Bowl loss)
The vRAC solution is based on SCAP content and takes minutes to install & allows you to set exceptions on the fly. We are making it available (BETA) to our customers as the audit community is starting to inspect the virtual infrastructure on a regular basis.

Sign up for the vRAC BETA here:

http://vrealizeair.vmware.com/compliance

Check out the Dashboard and Score Cards:

Dashboard

See a recent rule failure (Went from compliant to non compliant):

RecentRuleFail

Drill down to see who made the change with a time stamp:

WhoMadeChange

Set Exceptions on the fly:

Exception

Check out the vRAC video here:

https://www.youtube.com/watch?v=-Au0eec2hkU

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:

Cambio y Fuera!
George Gerchow
VMware vRealize Air Compliance Product Manager – CISSP, ITIL, CCNA, MCPS, SCP

 

 

Transparent Page Sharing – additional management capabilities and new default settings

Today VMware introduced additional capabilities to manage Transparent Page Sharing (TPS). This addition was prompted by recent academic research that leveraged TPS to gain unauthorized access to data under certain highly controlled conditions.

We also announced that starting in December with the next ESXi Update release, TPS among virtual machines will no longer be enabled by default. Even though we believe the security risk associated with enabling TPS is very low, VMware strives to be “secure by default” wherever possible.

The upcoming changes to the default TPS settings are explained in VMware Knowledge Base (KB) article 2080735. Documentation for the additional TPS management capabilities can be found in KB 2091682.

Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan for the upcoming ESXi Update releases which no longer have TPS between VM’s enabled by default. Note also that many systems utilize the hardware capabilities in modern processors to facilitate memory sharing which means large pages will be used. Due to this, TPS is likely not used except in situations where there is memory overcommitment, see KB 1021095 for further details.

We would like to thank Gorka Irazoqui, Mehmet Sinan Inci and the Vernam lab for working with VMware and sharing their side-channel research.

11/05 Update
The additional capabilities to manage Transparent Page Sharing are now available for ESXi 5.1, see KB 2091682.

CVE-2014-3566 aka POODLE

Today, a new attack on SSL v3 dubbed POODLE was published. We’ve reviewed the issue and concur with the community that the issue is similar to the BEAST attack published in 2011 but more practical.

Like the BEAST attack, to exploit this vulnerability the attacker must have the capability to run his javascript in the victim’s browser and to be able to Man-in-the-Middle the connection between the client and server.  At this time we view this as a browser-based attack and do not see direct relevance to VMware’s products.

We will shortly issue a VMware Knowledge Base (KB) article for POODLE with similar guidance to that found in our BEAST KB article.

10/15 Update
We’ve published VMware Knowledge Base 2092133 with the recommendation to disable SSL v3 in your browser.

10/16 Update
Over the next few days we will begin a structured roll out to explicitly deny SSL v3 connections on all VMware websites and services. We support industry recommendations on disabling SSLv3 and requiring TLS for encrypted communication.

NSX-v 6.1 security hardening guide released for community feedback!

Hi All,
It is pleasing to announce the release of much awaited NSX-v 6.1 security hardening guide to the community for feedback and comments. Now, you can securely deploy NSX-v using the prescriptive guidelines mentioned in the guide.

Take your copy here. If you have something to say about it please write to nsxhgcomments@vmware.com and we shall get back to you.

Thanks to all the contributors for its success!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+