Home > Blogs > VMware Security & Compliance Blog

Additional Patch for JMX RMI Issue (CVE-2015-2342) for vCenter Server 5.x running on Windows

We have discovered that the fix for CVE-2015-2342 documented in VMware Security Advisory VMSA-2015-0007.2 and earlier editions is incomplete for older versions of vCenter Server running on a Windows platform. An additional patch is now available for the following versions of vCenter Server on Windows to complement the earlier fix:

  • vCenter Server Windows 5.0 U3e on Windows
  • vCenter Server Windows 5.1 U3b on Windows
  • vCenter Server Windows 5.5 U3,  5.5 U3a, 5.5 U3b on Windows

The additional patch may be obtained from VMware Knowledge Base article 2144428. Customers running the above versions are strongly advised to apply this patch. Upcoming releases of vCenter Server 5.x on Windows will have a complete fix.

The incomplete fix did not address the remote code execution possibility and the local privilege escalation. In case the Windows Firewall is enabled on the Windows system on which vCenter Server is running, remote code execution is not possible.

The fix for CVE-2015-2342 documented in VMSA-2015-0007 for vCenter Server 6.0.0b and later on Windows and for vCenter Server Appliance is complete. Users of these versions do not need to apply the additional patch.

New VMware Security Advisory VMSA-2015-0009

Today VMware has released the following new and updated security advisories:

New
VMSA-2015-0009 : VMware product updates address a critical deserialization vulnerability

Updated

VMSA-2015-0003.15 : VMware product updates address critical information disclosure issue in JRE
VMSA-2015-0008.1 : VMware product updates address information disclosure issue

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0008

Today VMware has released the following new security advisory VMSA-2015-0008 to address a information disclosure issue (CVE-2015-3269).

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0007

Today VMware has released the following new and updated security advisories:

New
VMSA-2015-0007 for CVE-2015-5177, CVE-2015-2342 and CVE-2015-1047

Updated
VMSA-2015.0006.1 has been updated to clarify the configurations that CVE-2015-6932 applies to.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0006

Today VMware has released the following new advisory

VMSA-2015-0006

This addresses a VMware vCenter Server LDAP certificate validation issue. For more information on setting up certificates with LDAP, please see http://kb.vmware.com/kb/2130915.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6932 to this issue.

Customers that are looking for updates to open source and/or third party software in a product release should refer to the release notes for the release.

VMware releases CJIS compliance toolkit in VCM for Windows based environments

VMware is pleased to announce the availability of automated compliance assessment toolkit for Criminal Justice Information Services (CJIS) security policy in VMware vRealize Configuration Manager (VCM). The toolkit aligns with CJIS Security Policy version 5.3 and maps to 92 checks on various MS-Windows flavors. Using the toolkit on VCM, various law enforcement agencies such as state, local, federal, and international partners, can quickly assess Windows configuration and compare with CJIS Security Policy requirements. Additionally, you can remediate the infringements with an effort of a few clicks. Get the product sheet!

Continue reading

VMware Products and CVE-2015-1793

On July 9th 2015, the OpenSSL project released a Security Advisory. This advisory contained 1 security issue (CVE-2015-1793), which was given a severity rating of “high”.

The advisory lists OpenSSL 1.0.1n, 1.0.1o, 1.0.2b and 1.0.2c as being affected by this issue. These updates were released in June 2015.

VMware Security Response Center (vSRC) has investigated this issue and we can confirm that we have not shipped any products with these versions of OpenSSL. We can also confirm that our service offerings do not use them.

We have issued VMware Knowledge Base article 2124931 on this.

VMware has put safeguards in place to ensure upcoming product released will not ship with these versions of OpenSSL.

New VMware Security Advisory VMSA-2015-0005

Today VMware has released the following new advisory

VMSA-2015-0005

This addresses an issue in VMware Workstation, Player and Horizon View Client for Windows that may lead to a host privilege escalation.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

VMware CP&C releases Blocker for ‘Get Windows 10’ Application

CPC-LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of a compliance toolkit for blocking the ‘Get Windows 10’ application on all applicable machines.

Microsoft is set to release Windows 10 on July 29th, and will also be available as a free upgrade for applicable systems via the ‘Get Windows 10’ application. In the Enterprise environment, it is important to maintain control over your devices, and the ‘Get Windows 10’ application can cause quite a stir in the corporate environment. There is however relief for those Administrators who wish to smite the application from their environment to ensure that there are no unplanned upgrades.

The “Blocker for ‘Get Windows 10’ application” compliance template in VMware vRealize Configuration Manager (VCM) provides an option to quickly check and enforce remediation to prevent any unplanned upgrade of Windows. The enforcement checks and creates an registry key if needed, and then an registry value to disable the GWX application, which provides an option to upgrade the existing version of Windows.

Block-Win10

VMware vRealize Configuration Manager is not limited to compliance. This solution supports configuration and compliance assessment of your Docker containers, *NIX, Windows and Virtual environments along with patching, change management and various other asset management and reporting capabilities. It also support other regulatory and industry accepted security benchmarks and guidelines such as HIPAA, PCIDSS, DISA, CIS, IRS, SOX, etc. If you have any questions about this solution, please post them here.

Thanks and Regards,
Aravind Kolipakkam
CISSP | CCSK | ITIL | MCSE | Security+

VMware CP&C releases PCI DSS 3.1 Compliance toolkit in VCM for VMware vSphere 6.0 and other platforms!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of PCI DSS 3.1 compliance toolkits for VMware vSphere 6.0 and other platforms – Windows, *NIX, and VMware vSphere 5.5, 5.1 and 5.0 in VMware vCenter Configuration Manager (VCM). The toolkits consists of automated compliance rules to assess your environment against PCI DSS 3.1 requirements.

PCI Security Standards Council (PCI SSC) council quickly updated the standards from 3.0 to 3.1 in wake of SSL vulnerability on 15 Apr 2015. As per the announcement by the PCI council, the revision includes minor updates and clarifications, and addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. PCI DSS Version 3.1 is effective immediately following the publication, 15 Apr 2015. PCI DSS Version 3.0 will be retired on 30 June 2015.

Continue reading