Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: October 2008

Monthly Archives: October 2008

What’s New in Security at VMware.com

We’ve added some new things pertaining to security and compliance at the vmware.com web site, so I thought I’d highlight a few things to bring you up to date.

  • The new VMware Compliance Center includes an overview of the issues involved with
    virtualization and compliance, a comprehensive listing of partner
    virtualization compliance solutions, and references such as white papers
    and recorded webcasts.
  • There is a new listing of Free Security and Compliance Utilities.  These tools are provided by VMware partners, and can be downloaded and used right away to help assess and monitor your VI deployment
  • The Overview section of the Security Technology site has been updated to present the core issues of virtualization and security in a more streamlined way.  The Resources listing has also been enhanced to include more external resources.
  • Although not new, the VMsafe section had received some updates over the summer which you might not have seen.
  • Finally, something else that’s not new but worth pointing out is the Security Certifications page.  We will be listing all security-related certifications that VMware products receive, so you can check here to see ones we have received.

We’ll be adding new content to these pages over time, so please be sure to check back regularly.

New and Updated VMware Security Advisories for VirtualCenter, ESXi, ESX, VCB and VMware Hosted Products

Today, VMware released a new version of VirtualCenter, VC2.5 Update 3,  a new version of Virtual Consolidated Backup, VCB 1.1 Update 1, and patches for ESXi and ESX 3.5. These and the recently released versions of VMware’s hosted products and patches for ESX 3.0.1, 3.0.2 and 3.0.3 address several security issues. The issues are described in a new and an updated security advisory published today.
One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn’t allow for compromising the host system. The other security issues involve password disclosure and an update to JRE.
On a side note, we like to thank everyone that completed our questionnaire on security advisories during the VMworld 2008 Security Lab. Expect a blog post on the results soon.