The initial industry testing of frontier AI security models against production code is producing a wave of vulnerability findings that are orders of magnitude higher than historical norms. These models are capable of “vulnerability chaining” — chaining two or three “low-severity” vulnerabilities and combining them into a single, critical exploit path. This represents a fundamental shift in the threat landscape; AI-driven vulnerability discovery is expected to continue at a higher velocity and volume. Over the next several quarters, every major software vendor—Broadcom included—will operate at greater scale and speed to address findings as they emerge. The industry has entered a new phase of cybersecurity — one in which vulnerability discovery will operate at unprecedented speed, and resolution therefore must also accelerate.
This is the new baseline, not an anomaly.
VMware Cloud Foundation 9.1: Built for the Threat Environment We’re In Now
VCF has always been built on a rigorous Secure Development Lifecycle (SDL), the details of which can be found in the Product Security Guide1, and includes strong platform security capabilities. We have always prioritized maintaining a robust software supply chain and we are focused on strengthening it further to reduce dependencies on third-party components (open source and commercial), ensure rapid response to upstream vulnerability disclosures, and increase mitigations against software supply chain attacks. Broadcom continues to invest significantly in improvements to VCF’s patch management, credential management, and security functionality.
Broadcom’s vulnerability management practices are based upon severity and exploitability within the context of our products. Applicable fixes are included in appropriate release vehicles, including emergency patches and maintenance releases. Frequency of patches will continue to align with risk-based prioritization and industry practices. In the near term, for VCF 9.1, customers can expect to see an accelerated pace of patch delivery, and we will continue to assess the appropriate frequency as needed. To help customers deploy VCF patches at scale, VCF has a layered patching architecture and unified lifecycle management platform that lets infrastructure teams apply security fixes quickly and independently, without workload disruption.
VCF, and especially VCF 9.1, has strong security capabilities. VCF 9.1 delivers a significantly enhanced security posture and one of the most capable patching experiences, giving organizations a stronger foundation against evolving threats. We expanded ESX live patching to support all ESX hosts, including those with Trusted Platform Modules (TPMs) and added similar capabilities in vCenter Quick Patch. But we didn’t stop there, we added Intel QAT support to accelerate encrypted vMotion, EDR integration in ESX, and a centralized audit trail to name just a few. With VMware vDefend and VMware Advanced Cyber Compliance, customers gain zero-trust lateral security, IDS/IPS, continuous compliance enforcement, confidential computing, and cyber-recovery. See the VCF 9.1 platform security blog for more details. These are not simply vulnerability fixes, but foundational improvements to improve security in light of the new threat environment.
All of the above makes VCF 9.1 the most secure and resilient VCF release.
Guidance for Existing VCF Deployments
Broadcom is analyzing in-support VCF products using frontier AI security models. For vSphere 8.x, VCF/VVF 5.x, and VCF 9.0 environments, patch releases will continue on the existing schedule, based on Broadcom’s standard Security Advisory processes (link to subscribe to Security Advisory notifications). Broadcom’s overall guidance for existing deployments is to upgrade to 9.1 as soon as possible to access its enhanced security capabilities. To make the adoption process easier, VCF 9.1 supports new upgrade paths from vSphere 8.x and VCF/VVF 5.x environments, and upgrading from VCF 9.0 to 9.1 is a seamless and in-place upgrade process.
Work with Your Broadcom Team to Get to VCF 9.1
Broadcom is committed to customers’ security and delivering the most secure platform possible. The new reality is that organizations must adapt to this latest phase of cyber security risk with urgency. Speed is no longer optional for secured environments. For VCF customers, upgrading to VCF 9.1 offers enhanced security features that help them meet these new challenges. Contact your Broadcom account team or Broadcom partner to conduct a VCF 9.1 upgrade readiness review and accelerate the upgrade process with professional services.
Resources
- Broadcom ISG Blog on testing frontier AI security models on our code
- VCF Blog on new VCF 9.1 platform security capabilities
- VCF Product Security Guide (Broadcom customer login required)
- VCF Security and Compliance Guidelines
- VCF Security Advisories Page
- VMware External Vulnerability Response and Remediation Policy Page
- VMware Pro Cloud Service for Upgrade
1 – Broadcom customer login required
Discover more from VMware Cloud Foundation (VCF) Blog
Subscribe to get the latest posts sent to your email.
