Home > Blogs > VMware Security & Compliance Blog

VMware releases CJIS compliance toolkit in VCM for Windows based environments

VMware is pleased to announce the availability of automated compliance assessment toolkit for Criminal Justice Information Services (CJIS) security policy in VMware vRealize Configuration Manager (VCM). The toolkit aligns with CJIS Security Policy version 5.3 and maps to 92 checks on various MS-Windows flavors. Using the toolkit on VCM, various law enforcement agencies such as state, local, federal, and international partners, can quickly assess Windows configuration and compare with CJIS Security Policy requirements. Additionally, you can remediate the infringements with an effort of a few clicks. Get the product sheet!

Continue reading

VMware Products and CVE-2015-1793

On July 9th 2015, the OpenSSL project released a Security Advisory. This advisory contained 1 security issue (CVE-2015-1793), which was given a severity rating of “high”.

The advisory lists OpenSSL 1.0.1n, 1.0.1o, 1.0.2b and 1.0.2c as being affected by this issue. These updates were released in June 2015.

VMware Security Response Center (vSRC) has investigated this issue and we can confirm that we have not shipped any products with these versions of OpenSSL. We can also confirm that our service offerings do not use them.

We have issued VMware Knowledge Base article 2124931 on this.

VMware has put safeguards in place to ensure upcoming product released will not ship with these versions of OpenSSL.

New VMware Security Advisory VMSA-2015-0005

Today VMware has released the following new advisory

VMSA-2015-0005

This addresses an issue in VMware Workstation, Player and Horizon View Client for Windows that may lead to a host privilege escalation.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

VMware CP&C releases Blocker for ‘Get Windows 10′ Application

CPC-LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of a compliance toolkit for blocking the ‘Get Windows 10′ application on all applicable machines.

Microsoft is set to release Windows 10 on July 29th, and will also be available as a free upgrade for applicable systems via the ‘Get Windows 10′ application. In the Enterprise environment, it is important to maintain control over your devices, and the ‘Get Windows 10′ application can cause quite a stir in the corporate environment. There is however relief for those Administrators who wish to smite the application from their environment to ensure that there are no unplanned upgrades.

The “Blocker for ‘Get Windows 10′ application” compliance template in VMware vRealize Configuration Manager (VCM) provides an option to quickly check and enforce remediation to prevent any unplanned upgrade of Windows. The enforcement checks and creates an registry key if needed, and then an registry value to disable the GWX application, which provides an option to upgrade the existing version of Windows.

Block-Win10

VMware vRealize Configuration Manager is not limited to compliance. This solution supports configuration and compliance assessment of your Docker containers, *NIX, Windows and Virtual environments along with patching, change management and various other asset management and reporting capabilities. It also support other regulatory and industry accepted security benchmarks and guidelines such as HIPAA, PCIDSS, DISA, CIS, IRS, SOX, etc. If you have any questions about this solution, please post them here.

Thanks and Regards,
Aravind Kolipakkam
CISSP | CCSK | ITIL | MCSE | Security+

VMware CP&C releases PCI DSS 3.1 Compliance toolkit in VCM for VMware vSphere 6.0 and other platforms!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of PCI DSS 3.1 compliance toolkits for VMware vSphere 6.0 and other platforms – Windows, *NIX, and VMware vSphere 5.5, 5.1 and 5.0 in VMware vCenter Configuration Manager (VCM). The toolkits consists of automated compliance rules to assess your environment against PCI DSS 3.1 requirements.

PCI Security Standards Council (PCI SSC) council quickly updated the standards from 3.0 to 3.1 in wake of SSL vulnerability on 15 Apr 2015. As per the announcement by the PCI council, the revision includes minor updates and clarifications, and addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. PCI DSS Version 3.1 is effective immediately following the publication, 15 Apr 2015. PCI DSS Version 3.0 will be retired on 30 June 2015.

Continue reading

VMware CP&C releases VMware vSphere 6.0 Hardening Guide Compliance toolkit in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of VMware vSphere 6.0 Hardening Guide Compliance toolkit in VMware vCenter Configuration Manager (VCM). The toolkit consists of automated compliance rules to assess your VMware vSphere 6 based virtualized environments against the hardening guide. It covers 100% of the hardening guide recommendations.

The hardening guide has three risk profiles that group the recommendations based on the sensitivity of your environment. You can pick the compliance toolkits for respective risk profile or get all the rules at once and then make modifications to suit your sensitivity category.

Continue reading

New VMware Security Advisory VMSA-2015-0004

Today VMware has released the following new security advisory:

VMSA-2015-0004

VMware Workstation, Fusion and Horizon View Client updates address critical security issues – CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340, CVE-2015-2341.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Edward Hawkins
————————
Sr. Program Manager – VMware Security Response Center

VMware Releases Security and Compliance Solution for Docker Containers

As more of VMware’s customers look to run containerized applications, some have raised the question of securing containers in their environments. In partnership with the Center for Internet Security (CIS), Docker and others, VMware has developed a security configuration benchmark for Docker containers that you can download from here.

In all, six parties came together to develop the benchmark — covering 84 recommendations — in just 12 weeks. The aim of this security benchmark, like any other hardening guide or security documentation for any other vendor or product, is to highlight configuration parameters and other secure deployment considerations. It is designed as a definitive reference guide for customers wanting to understand how to securely provision containers to Linux OSes in production.

CIS is an independent organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. At CIS, security configuration benchmarks are created using a consensus review process comprised of subject matter experts. The benchmark is a result of collaboration between various industry experts, a team of enthusiastic folks who worked closely to develop and corral a consensus set of guidance as well as leveraging resources such as blog posts, articles, internet resources, and Docker documentation. CIS facilitated the development efforts and guided us throughout the benchmark development process. Each recommendation was thoroughly vetted, tested and endorsed by the consensus team consisting of folks from CIS, VMware, Docker, Cognitive Scale, International Securities Exchange and Rakuten.

Assessing your Dockerized environments using VMware

However, having just a security benchmark is not enough. Customers also need a mechanism to evaluate containerized workloads against the benchmark and provide compliance visibility and reporting. The solution should also be able to assess diverse workloads hosted on heterogeneous Linux distributions.

VMware has developed such a solution within VMware vRealize Configuration Manager. It is designed as a compliance toolkit, and is the FIRST of its kind to assess containerized workloads against the CIS benchmark. The tool provides compliance health status for each Docker container, image, container host, Docker daemon, etc., against each automatable recommendation from CIS benchmark.

vRealize Configuration Manager covers 100% of the automatable recommendations in the benchmark – addressed here in depth – and even some that are not directly automatable. You can get a detailed listing of the rules available in the VMware solution in the product sheet attached here. 

Let’s dive into a comprehensive overview of the solution.

Continue reading

VMSA-2015-0003 (SKIP-TLS)

New VMware security advisory VMSA-2015-0003 (SKIP-TLS)

Today VMware has released the following new security advisory,

VMSA-2015-0003

The advisory documents CVE-2014-6593, which was issued for the incorrect handling of the ChangeCipherSpec in Oracle JRE also known as “SKIP” or “SKIP-TLS”. The issue allows a Man-in-the Middle to manipulate the SSL handshake which may result in impersonation of the server or in communication over plaintext between client and server.

We have reviewed CVE-2014-6593 and determined that it is a critical security issue if an application initiates communication over an untrusted network. Because of this, VMware is updating JRE in products that may face the Internet first, followed by updating JRE in products that are typically deployed in a datacenter but don’t communicate outside. The advisory will be republished when JRE is updated in VMware products through new patches or product releases.

Customers should review the advisory and direct any question to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

VMware Announces its Membership in SAFECode

VMware is proud to announce it’s associate membership in the Software Assurance Forum for Excellence in Code (SAFECode). The forum is exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software and services.

Please see the following CTO blog post by Iain Mulholland for more details about this exciting news.