Today, Nov. 4, 2012, our security team became aware of the public posting of VMware ESX source code dating back to 2004. This source code is related to the source code posted publicly on April 23, 2012. (For reference: April 24, 2012 and May 3, 2012). It is possible that more related files will be posted in the future. We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.

Ensuring customer security is our top priority. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment. We also recommend customers review our security hardening guides. By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected.

As is our practice, VMware will continue to assess any further security risks, and will provide recommendations and updates here as appropriate.

Note:  We encourage customers to view the May 3, 2012 security patch information as a resource: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html

VMware vSphere Data Protection 5.1 has an integrated email notification system which, once configured, may send server error and status messages to a server that is accessible to EMC, the parent company of VMware and collaborator on VDP 5.1. Some customers may consider this information to be sensitive.
All messages received have been disposed of. Future messages received from this notification system will be immediately deleted.
This KB provides a script to disable the notification function. Customers are requested to follow the steps outlined in the KB.

October 2, 2012 Update
VMware has released a new version of vSphere Data Protection 5.1 in which the notification function is permanently disabled. Customers should upgrade to this version immediately, see the KB for details.

For all distributed virtual firewall fans…

This whitepaper gives configuration tips and examples for using vShield App to secure Exchange and Microsoft IIS/MS-SQL multi-tier applications in the DMZ. It also covers some best practices related to this type of deployment.

The paper has been posted at: http://www.vmware.com/resources/techresources/10298

As we are preparing for the most exciting US VMworld in history, VMware’s Center for Policy & Compliance (CP&C) is pleased to release TWO free HIPAA Compliance Checkers!

Here are some details around the checkers:

• 19 HIPAA based rules for Linux and Windows

RHEL 5.x, 6.x or SuSE 10.x, 11.x

• Windows 2003, Windows 2008 or Windows 2008 R2
• Add up to 5 machines at a time for assessment
• Get detailed rule descriptions and remediation steps

You can download the checkers here:

https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default

After downloading the checkers all you need to do is authenticate and run a compliance assessment:

You can then view the results and drill down into the specific rule details and remediation recommendations:

The VMware CP&C FREE Checkers are sweeter than bacon and designed to get you hooked & come back for more!

Remember, we also have FREE checkers for vSphere 4.0, 4.1, 5.0 AND for PCI 2.0 Windows & Linux.

If you have compliance concerns and need more coverage, customers can leverage the full blown rules, content, dashboards and remediation with vCenter Configuration Manager (vCM) part of the vCenter Operations Manager Suite (vC Ops).

You can hear more about the Checkers and other VMware Security and Compliance Solutions at VMworld 2k12. Here is a list of key sessions that you should register for NOW:

INF-SEC2306 – Integrating Virtual and Physical IT Controls to Support Enterprise Wide Compliance Programs

INF-SEC2850 – The Four Must-Haves for a Secure Cloud Infrastructure

EXPERTS02 – Meet the Experts

Session INF-SEC2627 – Software Defined Security, Myth Busting Data Center Security with Real-life Implementations

GD16 – Compliance with George Gerchow

INF-SEC1840 – VMware vSphere Hardening to Achieve Regulatory Compliance: Better, Faster, Stronger

INF-SEC1172 – Using VMware vCenter Networking and Security and vCenter Configuration Manager to Achieve Better that Physical Security for Business Critical Apps

EUC2792 – VMware View 5.1: Security Deep Dive

INF-SEC1759 – Appeasing Your PCI Assessor Using vCloud Networking and Security to Segment and Secure Your Virtual Data Centers

NF-SEC2813 – Beyond the Hypervisor – Three Key Areas to Consider When Securing Your Cloud Infrastructure Platform

VMWorld – SafeNet Panel Discussion Location: Solutions Exchange Theater, On Expo Floor, Moscone Center

INF-SEC1282 – Automating Security and Compliance with Disaster Recovery Using VCM, vCOps, vShield, VIN and SRM

Session ID: INF-SEC2330 – How to Enable and Host PCI Compliant Applications in a Private Cloud Environment

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:

• on the Security & Compliance Blog or the Virtualization Management Blog
• on Twitter: @georgegerchow and @vmwaremgmt
• on Facebook: IT Management
• at the Management Mastery site
• and at the Management Mastery Forum

Cambio y Fuera!

George Gerchow – Director, VMware Center for Policy & Compliance

Hello all! Here is another answer to a vShield question that has made a few people, including your's truly, go "Hmmm…."  The protocol and paths for the moving parts behind vShield management. Knowing this is critical for deployment of vShield. Here's the lowdown…

Continue reading →

A very common question has been whether you can have vShield App protect the same cluster running its associated vCenter Server and vShield Manager.  Now with 5.0.1, this is no longer a limitation! There are some minor trade-offs, which I describe…

Continue reading →

On May 22, 2012, VMware vSphere 5.0 achieved Common Criteria certification at EAL4+ under the Canadian Common Criteria Evaluation and Certification Scheme.

The visibility and focus of security in IT infrastructure environments has increased significantly in recent years, motivating IT professionals to seek systems which help with the protection their valuable data assets.  Common Criteria provides a level of assurance that VMware vSphere 5.0 has achieved specific security design and implementation specifications.  Common Criteria ensures security functional requirements were met through a rigorous standards based evaluation process, which included functional and vulnerability tests in addition to reviews of VMware’s implementation and development processes.  The certification process also included Flaw Remediation which evaluates VMware’s processes for supporting vSphere 5.0 with future security and maintenance updates.    

Common Criteria is an ISO (15408) standard for evaluating IT security which assures vSphere 5.0 has surpassed the required design and testing criteria.  The Common Criteria certification enables a significant number of VMware’s federal, defense, state and local government sales including large private sector sales as well.  These sectors utilize standards based IT testing methodologies as a means of further validation of IT product security. This certification validates VMware’s commitment to security, standards processes and global standards.

VMware was the first x86 virtualization vendor to complete a Common Criteria certification in 2006 and has continued the tradition of certifying each release since then.  This milestone marks the fifth iteration of completing this certification process.  As VMware continues to set the standard in virtualization and cloud computing, be sure to visit VMware’s Security Certifications web page for updates on future Common Criteria and other certifications activities at VMware.

The certification effort has had many resource touch points.  I would like to acknowledge the contributions of VMware teams, Corsec Security, and CGI for their participation in achieving this milestone.

For the most up to date listing of VMware’s certifications, visit the Security Certifications section of VMware’s web site.

Eric Betts
Certifications Manager

On April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code dating back to 2004, and the possibility that more files may be posted in the near future. Ensuring customer security is our top priority. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment. As part of its regular program of providing patches for security and other issues, VMware has accelerated the delivery of a set of software patches for specific product releases that may be exposed to increased risk. We encourage all customers to view the following links to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.

By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected. As is our practice, VMware will continue to assess any further security risks, and will continue to provide updates and patches as appropriate. 

As always, we welcome any security-related concerns to be shared with VMware via the following channels: 

• Support requests - www.vmware.com/support

• Community forums - communities.vmware.com 

• Twitter – @VMwarecares

• Calling Customer Service at 1-877-486-9273 (option 4) or www.vmware.com/support/us_support.html for global numbers 

2012 セキュリティアップデート: VMware のセキュリティブログに関する声明書（訳文）

 

Frequenty Asked Questions:

1. Are these software patches related to source code associated with the April 23rd incident?

VMware has consistently provided software updates and patches to help customers maintain the most reliable and secure environment. In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.

2. Is my environment at risk if I do not apply these latest patches?

VMware provides security updates and patches from time to time to mitigate known security issues that may put customer environments at risk. As a matter of best practice, we encourage customers to always apply the latest software updates and patches relevant to their environment. We encourage all customers to view the following link to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.

3. What does VMware do on a regular basis to secure its information?

VMware has a comprehensive Information Security Program in place. The Information Security Team is focused on effectively safeguarding VMware’s information, intellectual property, infrastructure, and users. The VMware Information Security Team effectively assesses and manages security risks across the enterprise based on the evolving landscape of threats, laws, regulations, and industry practices.

4.What does VMware do to ensure a secure customer virtual environment?

VMware uses a number of techniques during its software development cycle to improve upon the security of its products. These standard techniques include Threat Modeling, Static Code Analysis, Incident Response Planning, and Penetration Testing using both internal and external security expertise. VMware has an established security engineering group that integrates these techniques into the software development cycle, provides security expertise, guidance on the latest security threats and defensive techniques, and training within the development organization. This group is also responsible for driving VMware products through external security accreditations and certifications.

5. How are you keeping customers informed?

VMware will continue to update our public security blog with up-to-date communications and instructions, as well as inform customers through the VMware Product Support Center.