On April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code dating back to 2004, and the possibility that more files may be posted in the near future. Ensuring customer security is our top priority. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment. As part of its regular program of providing patches for security and other issues, VMware has accelerated the delivery of a set of software patches for specific product releases that may be exposed to increased risk. We encourage all customers to view the following links to determine if appropriate patches are available for products in their environment: kb.vmware.com/kb/2019941 and www.vmware.com/security/advisories/VMSA-2012-0009.html.
By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected. As is our practice, VMware will continue to assess any further security risks, and will continue to provide updates and patches as appropriate.
As always, we welcome any security-related concerns to be shared with VMware via the following channels:
- Support requests - www.vmware.com/support
- Community forums - communities.vmware.com
- Twitter - @VMwarecares
- Calling Customer Service at 1-877-486-9273 (option 4) or www.vmware.com/support/us_support.html for global numbers
Frequenty Asked Questions:
1. Are these software patches related to source code associated with the April 23rd incident?
VMware has consistently provided software updates and patches to help customers maintain the most reliable and secure environment. In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.
2. Is my environment at risk if I do not apply these latest patches?
VMware provides security updates and patches from time to time to mitigate known security issues that may put customer environments at risk. As a matter of best practice, we encourage customers to always apply the latest software updates and patches relevant to their environment. We encourage all customers to view the following link to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.
3. What does VMware do on a regular basis to secure its information?
VMware has a comprehensive Information Security Program in place. The Information Security Team is focused on effectively safeguarding VMware’s information, intellectual property, infrastructure, and users. The VMware Information Security Team effectively assesses and manages security risks across the enterprise based on the evolving landscape of threats, laws, regulations, and industry practices.
4.What does VMware do to ensure a secure customer virtual environment?
VMware uses a number of techniques during its software development cycle to improve upon the security of its products. These standard techniques include Threat Modeling, Static Code Analysis, Incident Response Planning, and Penetration Testing using both internal and external security expertise. VMware has an established security engineering group that integrates these techniques into the software development cycle, provides security expertise, guidance on the latest security threats and defensive techniques, and training within the development organization. This group is also responsible for driving VMware products through external security accreditations and certifications.
5. How are you keeping customers informed?
VMware will continue to update our public security blog with up-to-date communications and instructions, as well as inform customers through the VMware Product Support Center.