Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2014-0004 (Heartbleed)

Today VMware has released the following new security advisory:

VMSA-2014-0004

This advisory list the VMware product updates and patches that address the OpenSSL Heartbleed issue, CVE-2014-0160. It is only the first release of the advisory with several more to come, as we will release more product updates and patches this week.

In order to remediate the issue, follow these steps:
- Deploy the VMware product update or product patches that address CVE-2014-0160
- Replace certificates
- Reset passwords
The advisory lists product-specific references to installation instructions and certificate management documentation.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2014-0003 and updated advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0003
Updated
VMSA-2014-0002.1

The new advisory details two security vulnerabilities in vSphere Client, CVE-2014-1209 and CVE-2014-1210. In order to remediate these issues, existing vSphere clients will need to be replaced by the newly released versions.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Note:
The new and updated advisories released today are not related to the OpenSSL Heartbleed issue, CVE-2014-0160. VMware is working on remediation of this issue and update releases that address this issue will be documented in a new VMware Security Advisory.
Currently VMware Knowledge Base article 2076225 provides the latest status on VMware products and services and the OpenSSL Heartbleed issue.

VMware products and the Heartbleed OpenSSL issue, CVE-2014-0160

We have just posted VMware Knowledge Base article 2076225 with the results of our ongoing investigation into the Heartbleed OpenSSL issue. We will update the article during the investigation. VMware has products that ship with OpenSSL 1.0.1 and that are affected by the issue.

Customers are advised to review the article and direct any questions to VMware Support.

VMware CP&C releases PCI DSS 3.0 Compliance toolkit for Windows Environments in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of Payment Card Industry Data Security Standard (PCI DSS) 3.0 Compliance toolkit for Windows Environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops) suite.

PCI DSS 3.0 comes into effect from January 1, 2014. PCI DSS 3.0 compliance toolkit for VMware vSphere based virtual environment and PCI DSS 3.0 Compliance toolkit for *NIX based environments were released earlier this year.

PCI DSS 3.0 compliance Windows toolkits are available for below environments:

Windows Server 2003 (DC and MS)
Windows Server 2003 R2 (DC and MS)
Windows Server 2008 (DC and MS)
Windows Server 2008 R2 (DC and MS)
Windows Server 2012 (DC and MS)
Windows Server 2012 R2 (DC and MS)
Windows 7
Windows 8
Windows 8.1

*Legends*
DC = Domain Controller
MS = Member Server

You can download the packages using Compliance Content Wizard tool in VCM or from VMware solution exchange and begin to use them.

Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content. With new additions such as Scripted Remediation Framework, high level of OS patch automation with auto deploy functionality, Easy install and setup, SCAP based compliance and a new look and feel, it is better than ever before!

Come, join the journey to Start Green Stay Green!

Thanks and regards,
Pravin Goyal,
RHCE | HP-UX CSA | VCP4-DCV | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F

Security Updates in vSphere 5.5 Update 1 + Hardening Guide news

5.5 Update 1 Release Notes

vSphere 5.5 Update 1 was released on March 11th, 2014. The primary drivers for this release were lots of bug fixes and support for VSAN. At the risk of duplicating a huge amount of the release notes, please review in detail those things that are important to you. There’s a number of things in Upgrade and Installation and there’s a specific Security section that would be of interest. Also review the Known Issues section as there’s some interesting tidbits in there as well.

5.5 Hardening Guide Update

I will be releasing an update to the vSphere Hardening Guide to go along with 5.5 Update 1 in the next couple of weeks. I’ve been collecting updates since it was released shortly after 5.5. No MAJOR changes, just minor fixes and a couple of clarifications and at least one deletion. More on this soon. I know it’s a hot button for some folks.

If there’s something YOU think needs to be corrected, now is the time to let me know!

Get in touch as a reply to this blog or preferably an email to me. I’m mfoley at VMware.com.

Thanks,

mike

VMware Security & Compliance – “News Team Assemble!”

Hola Peeps!
That’s right Ron Burgundy fans, news Team Assemble! http://www.youtube.com/watch?v=MPpiCdt5aC8
 
It is great to be back at VMware and sharing with all of you once again after a wonderful year at EMC where I was rollin with the Elite – Cloud Business Director Team.
My new role, Cloud Management Security & Compliance Evangelist. What have I been doing? Getting the Wolf Pack back together in a HUGE way at VMware with some key new additions like Tom Corn and my long time friend & colleague Dr. Dennis Moreau.
The gang is working on amazing projects like the planets first PCI Validated Cloud using OpenStack and NSX! Of course we are enlisting a little help from our fiends at Coalfire , VMware CP&C & Rich Rees. The risk and cost could be high, but we will do our best to prove it out. BTW: CP&C is still delivering great content including PCI 3.0, HIPAA and FedRamp. The team is also working on updated integrated solutions for vCOPS (vCM) and Archer (GRC).
For those of you who did not have the opportunity to attend RSA 2k14 you missed out! There were over 20k folks in attendance and the amount of new startups in the cloud space had the expo floor hyped up. (Not mention the fact that a vendor had a FULL BLOWN boxing ring with 2 pro fighters entertaining the blood thirsty crowd! I Also have to mention strong representation from BeyondTrust, HyTrust and CipherCloud)
The VMware booth also had a ton of great traffic and for ONCE, people were not asking questions like “What are you doing at RSA?”. This year it was all about our solutions like LogInsight, NSX, vCM aka vCOPS and the tremendous partner ecosystem we have put together over the last few years.
In closing, let’s turn the focus to Data Protection and how it is going to work moving forward in the cloud. We are starting to see a lot of companies wanting to hop on this bandwagon without really thinking it through or consulting their security & compliance team. The insider threat issue within a private cloud continues to be in the news and could either open the door for a provider to take over sensitive data or give the CISO more power and funding for protecting IP & keeping mission critical workloads on Prem.  BTW: The CIO is also paying the price, not just the CISO. http://www.washingtonpost.com/business/economy/targets-chief-information-officer-is-stepping-down-in-wake-of-data-breach/2014/03/05/391be810-a479-11e3-8466-d34c451760b9_story.html
The CIA has made a bet on AWS, we will see how it pans out over time. Here are two points of view, one is a love fest between the two parties, the other a 3rd party opinion on privacy & potential stumbling blocks. http://www.computerworld.com/s/article/9246814/U.S._spy_agencies_adopt_new_IT_approach  http://www.huffingtonpost.com/norman-solomon/why-amazons-collaboration_b_4824854.html
It would be great to hear your opinion as we continue to ramp up our private, hybrid and public cloud offerings. Check out our latest announcement as we announce vCloud Government Service for U.S. Public Sector.  http://blogs.vmware.com/vmware/2014/03/fastest-path-cloud-vmware-announces-vcloud-government-service-u-s-public-sector.html

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:

Cambio y Fuera!
George Gerchow
VMware Cloud Management Solutions Evangelist Security & Compliance – CISSP, ITIL, CCNA, MCPS, SCP

New VMware Security Advisory VMSA-2014-0002

Today VMware has released the following new security advisory:

VMSA-2014-0002

Among the fixed issues is CVE-2013-5211 “DDoS vulnerability in NTP third party library”. VMware Knowledge Base article 2070193 provides mitigation for this issue and documents when vSphere components are affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMware CP&C releases PCI DSS 3.0 Compliance toolkit for *NIX Environments in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of Payment Card Industry Data Security Standard (PCI DSS) 3.0 Compliance toolkit for UNIX and Linux Environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops) suite.

PCI DSS 3.0 comes into effect from January 1, 2014. PCI DSS 3.0 compliance toolkit for VMware vSphere based virtual environment was released earlier this month.

Continue reading

New ESXi security whitepaper now available

Hi everyone,

Over on the vSphere blog I have posted an new entry on the availability of a whitepaper on the security of VMware’s ESXi hypervisor. I hope you find the whitepaper useful. Please post or send your feedback. Head on over to the vSphere blog posting!

 

mike

VMware CP&C releases PCI DSS 3.0 Compliance toolkit for Virtual Environments in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of Payment Card Industry Data Security Standard (PCI DSS) 3.0 Compliance toolkit for Virtual Environment in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops) suite.

PCI DSS 3.0 comes into effect from January 1, 2014. We churned it pretty quickly and now have the PCI DSS 3.0 compliance toolkits available for below VMware vSphere based virtual environments:

VMware vSphere 5.0
VMware vSphere 5.1
VMware vSphere 5.5

Continue reading