Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2014-0009

Today VMware has released the following new security advisory:

VMSA-2014-0009

The advisory documents a critical information disclosure vulnerability, CVE-2014-3796, which has been addressed in VMware NSX 6.x Edge and vCNS 5.x Edge releases this week.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2014-0008 and updated advisories

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0008
Updated
VMSA-2014-0007.2
VMSA-2014-0006.10

The new advisory details updates of third party libraries that are present in vSphere 5.5 Update 2, which was released today.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Verify Roles and Features using VCM

CPC LogoToday, I show you how you can ensure you comply to DISA  recommendations to have only needed roles and features enabled on various Windows machines using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).

 

For this example, DISA STIG for Windows 7 Version:1 Release:16 released on 25 Jul 2014 is taken.

Below are the DISA recommendations:

  • 5.016 – IIS or its subcomponents must not be installed on a workstation
  • 5.260 – Games must not be installed on the system
  • 5.260 – Simple TCPIP Services must not be installed on the system
  • 5.260 – Telnet Server must not be installed on the system
  • 5.260 – The Telnet Client must not be installed on the system
  • 5.260 – The TFTP Client must not be installed on the system
  • 5.260 – Windows Media Center must not be installed on the system

Continue reading

Consolidated list of VMware Security Advisories

Today (8/21/2014) VMware Security Response Center is releasing a consolidated list, in the form of an Excel file (see below) of VMware Security Advisories. The list provides a single source of Security Advisories since 2012.

The list contains all affected products, versions, fix details, known workarounds, VMware Knowledge Base articles, and release notes or KBs for each CVE. This is provided so customers can import Security Advisory details into their security management systems or for patch management.

We plan to update the list each time a new or updated VMware Security Advisory is released.

Details of the contents can be found in VMware Knowledge Base article:

http://kb.vmware.com/kb/2078735

You can download the consolidated list here:

https://www.vmware.com/files/xls/security/VMWareSecurityAdvisoryList.xlsx

This document provides the following information about the affected product(s) for each Security Advisory:
  • Vulnerability Title
  • Vulnerability Description
  • Advisory Name
  • Advisory URL
  • CVE(s)
  • Affected Product
  • Affected Version
  • Affected Running on
  • Fixed Patch Release Number
  • Fixed Bulletin ID
  • Fixed Build No.
  • Knowledge Base Article associated with fix
  • Workarounds
  • Reporting Company
  • Reporting Individual
  • CVSS v2*
  • CVSS*
  • First Published Date
  • Last Update Date

Note: * CVSS details have been sourced from NIST for consistency.

 

Ensure DISA Certificate Compliance using VCM

CPC LogoToday, I show you how you can ensure you comply to DISA mandates to have DoD certificates on each Microsoft Windows machine using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).

For this example, DISA STIG for Windows 8 / 8.1 Version: 1  Release: 6 released on 25 Jul 2014 is taken.

Below are the DISA requirements for certificates:

  • WN08-PK-000001 – The DoD Root Certificate must be installed into the Trusted Root Store
  • WN08-PK-000002 – The External CA Root Certificate must be installed into the Trusted Root Store
  • WN08-PK-000003 – The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed into the Untrusted Certificates Store
  • WN08-PK-000004 – The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store

Continue reading

VMware CP&C releases Major Updates to DISA STIG *NIX Compliance toolkit in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the updated DISA STIG compliance toolkit for UNIX and Linux based environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops). This is a major update release to prior released DISA Compliance Toolkits for UNIX and Linux based environments. The compliance toolkit product data sheet can be found here.

This toolkit contains below DISA STIGs:

  • DISA AIX 6.1 V1R2
  • DISA HP-UX V1R4
  • DISA RH-5 V1R6
  • DISA RH-6 V1R3
  • DISA Solaris 10 V1R6

Continue reading

New VMware Security Advisory VMSA-2014-0007 and updated advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0007
Updated

VMSA-2014-0006.3

The new advisory details a remote code execution vulnerability in vCenter Operations Management Suite (vCOPS). This advisory also documents a workaround for customers that cannot update to the new version of vCOPS.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2014-0006

Today VMware has released the following new security advisory:

VMSA-2014-0006 – Link
VMware product updates address OpenSSL security vulnerabilities

Please sign up to the Security-Announce mailing list to recieve new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware investigating OpenSSL security vulnerabilities

Following the June 5, 2014 disclosure of new OpenSSL security vulnerabilities, we are currently investigating and assessing impact to our products and services as well as our own customer-facing portals.

We will communicate the results of the investigation and related remediation plans in VMware Knowledge Base article 2079783.

PM Update
We have concluded the assessment of the issues and VMware Knowledge Base article 2079783 has been updated.

New VMware Security Advisory VMSA-2014-0005 and updated advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0005
Updated
VMSA-2014-0002.3

The new advisory details a privilege escalation issue in VMware Tools on Windows 8.1. In order to remediate this issue, VMware Guest Tools must be updated in any pre-existing Windows 8.1 Guest Operating System.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.