VMware Security Blog

On May 20, 2008, VMware VI3 (ESX Server 3.0.2 & VirtualCenter 2.0.2) achieved Common Criteria certification at EAL4+ under the Canadian Common Criteria Evaluation and Certification Scheme (CCS).  EAL4+ is the highest assurance level that is recognized globally by all signatories under the Common Criteria Recognition Agreement (CCRA)

This milestone marks the completion of an intensive effort during which VMware ESX Server and VirtualCenter were examined, tested and certified at the Evaluation Assurance Level 4 (EAL4+). In addition to validating VI3, personnel from the validation lab visited VMware to witness and validate VMware’s planning, development, QA, IT, HR, delivery processes and validate building physical security. The plus (+) appended to the assurance level indicates this certification included the optional Flaw Remediation component. To achieve Flaw Remediation, VMware’s issue tracking & flaw remediation processes where also validated.

VMware is the first and only virtualization vendor for industry standard x86 hardware to successfully complete the rigorous Common Criteria certification process. Although several operating system vendors bundle virtualization technologies as part of their products, to date, none have included virtualization technology as part of their Common Criteria security certifications.

This announcement also demonstrates VMware’s continued commitment and focus on security. VMware completed the first Common Criteria certification for a virtualization product on x86 hardware in March 2006 with the Common Criteria certification of VMware ESX Server 2.5 & VMware VirtualCenter 1.2 at EAL2. VMware has also entered VMware ESX 3.5 and VirtualCenter 2.5 into evaluation for certification at EAL4+.

I must thank VMware’s Engineering, Security, IT, Marketing, Delivery, and Facilities teams for their assistance with this effort. I also want to acknowledge VMware’s vendors Corsec Security, Inc. and the EWA-Canada, Ltd. for their efforts in achieving this goal.

Eric Betts
Project Manager

VI3 (ESX Server 3.0.2 and VirtualCenter 2.0.2) certification at EAL4+:
http://www.cse-cst.gc.ca/services/ccs/vmware-e.html

VMware Press Release – June 2, 2008:
http://www.vmware.com/company/news/releases/common_criteria.html

ESX Server 2.5 and VirtualCenter 1.2 certification at EAL2:
http://www.niap-ccevs.org/cc-scheme/st/?vid=10056

On June 3 and May 29, VMware released patches for security issues in VMware ESX(i) and VMware Workstation, Player, ACE, Server, Fusion, and Server. The issues range from denial of service to code execution on the host system from the guest system. You are advised to review the new security advisories, VMSA-2008-0008 and VMSA-2008-0009, and the updated advisory VMSA-2008-0007 and deploy the patches and new binaries per your security policy.

We like to draw your attention to a special situation with one of the patches listed in VMSA-2008-0009. Installing the new hosted release or the ESX patches alone will not remediate the VMware Tool Privilege Escalation issue.  To fix this issue, the VMware Tools packages will need to be updated on each guest operating system followed by a reboot. This issue affects Windows-based guest operating systems only.

As always, we welcome your comments and questions at security@vmware.com (PGP key).