Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: June 2008

Monthly Archives: June 2008

VMware Infrastructure Earns Common Criteria EAL4+ Certification

On May 20, 2008, VMware VI3
(ESX Server 3.0.2 & VirtualCenter 2.0.2) achieved Common Criteria
certification at EAL4+ under the Canadian Common Criteria Evaluation and
Certification Scheme (CCS).  EAL4+ is the
highest assurance level that is recognized globally by all signatories under
the Common Criteria Recognition Agreement (CCRA)

This milestone marks the
completion of an intensive effort during which VMware ESX Server and VirtualCenter were
examined, tested and certified at the Evaluation Assurance Level 4
(EAL4+). In addition to validating VI3,
personnel from the validation lab visited VMware to witness and validate VMware’s
planning, development, QA, IT, HR, delivery processes and validate building
physical security. The plus (+) appended
to the assurance level indicates this certification included the optional Flaw
Remediation component. To achieve Flaw
Remediation, VMware’s issue tracking & flaw remediation processes where
also validated.

VMware is the first and only
virtualization vendor for industry standard x86 hardware to successfully
complete the rigorous Common Criteria certification process. Although several operating system vendors
bundle virtualization technologies as part of their products, to
date, none have included virtualization technology as part of their Common
Criteria security certifications.

This announcement also demonstrates
VMware’s continued commitment and focus on security. VMware completed the first Common Criteria certification
for a virtualization product on x86 hardware in March 2006 with the Common
Criteria certification of VMware ESX Server 2.5 & VMware VirtualCenter 1.2
at EAL2. VMware has also entered VMware
ESX 3.5 and VirtualCenter 2.5 into evaluation for certification at EAL4+.

I must thank VMware’s
Engineering, Security, IT, Marketing, Delivery, and Facilities teams for their
assistance with this effort. I also want
to acknowledge VMware’s vendors
Corsec Security, Inc. and the
EWA-Canada, Ltd. for their efforts in achieving this goal.

Eric Betts
Project Manager

VI3 (ESX Server 3.0.2 and
VirtualCenter 2.0.2) certification at EAL4+:
http://www.cse-cst.gc.ca/services/ccs/vmware-e.html

VMware Press Release – June
2, 2008:
http://www.vmware.com/company/news/releases/common_criteria.html

ESX Server 2.5 and
VirtualCenter 1.2 certification at EAL2:
http://www.niap-ccevs.org/cc-scheme/st/?vid=10056

New and Updated VMware Security Advisories for ESX(i) and VMware Hosted Products

On June 3 and May 29, VMware released patches for security issues in VMware ESX(i) and VMware Workstation, Player, ACE, Server, Fusion, and Server. The issues range from denial of service to code execution on the host system from the guest system. You are advised to review the new security advisories, VMSA-2008-0008 and VMSA-2008-0009, and the updated advisory VMSA-2008-0007 and deploy the patches and new binaries per your security policy.

We like to draw your attention to a special situation with one of the patches listed in VMSA-2008-0009. Installing the new hosted release or the ESX patches alone will not remediate the VMware Tool Privilege Escalation issue.  To fix this issue, the VMware Tools packages will need to be updated on each guest operating system followed by a reboot. This issue affects Windows-based guest operating systems only.

As always, we welcome your comments and questions at security@vmware.com (PGP key).