On May 22, 2012, VMware vSphere 5.0 achieved Common Criteria certification at EAL4+ under the Canadian Common Criteria Evaluation and Certification Scheme.
The visibility and focus of security in IT infrastructure environments has increased significantly in recent years, motivating IT professionals to seek systems which help with the protection their valuable data assets. Common Criteria provides a level of assurance that VMware vSphere 5.0 has achieved specific security design and implementation specifications. Common Criteria ensures security functional requirements were met through a rigorous standards based evaluation process, which included functional and vulnerability tests in addition to reviews of VMware’s implementation and development processes. The certification process also included Flaw Remediation which evaluates VMware’s processes for supporting vSphere 5.0 with future security and maintenance updates.
Common Criteria is an ISO (15408) standard for evaluating IT security which assures vSphere 5.0 has surpassed the required design and testing criteria. The Common Criteria certification enables a significant number of VMware’s federal, defense, state and local government sales including large private sector sales as well. These sectors utilize standards based IT testing methodologies as a means of further validation of IT product security. This certification validates VMware’s commitment to security, standards processes and global standards.
VMware was the first x86 virtualization vendor to complete a Common Criteria certification in 2006 and has continued the tradition of certifying each release since then. This milestone marks the fifth iteration of completing this certification process. As VMware continues to set the standard in virtualization and cloud computing, be sure to visit VMware’s Security Certifications web page for updates on future Common Criteria and other certifications activities at VMware.
The certification effort has had many resource touch points. I would like to acknowledge the contributions of VMware teams, Corsec Security, and CGI for their participation in achieving this milestone.
For the most up to date listing of VMware’s certifications, visit the Security Certifications section of VMware’s web site.
On April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code dating back to 2004, and the possibility that more files may be posted in the near future. Ensuring customer security is our top priority. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment. As part of its regular program of providing patches for security and other issues, VMware has accelerated the delivery of a set of software patches for specific product releases that may be exposed to increased risk. We encourage all customers to view the following links to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.
By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected. As is our practice, VMware will continue to assess any further security risks, and will continue to provide updates and patches as appropriate.
As always, we welcome any security-related concerns to be shared with VMware via the following channels:
2012 セキュリティアップデート: VMware のセキュリティブログに関する声明書（訳文）
Frequenty Asked Questions:
1. Are these software patches related to source code associated with the April 23rd incident?
VMware has consistently provided software updates and patches to help customers maintain the most reliable and secure environment. In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.
2. Is my environment at risk if I do not apply these latest patches?
VMware provides security updates and patches from time to time to mitigate known security issues that may put customer environments at risk. As a matter of best practice, we encourage customers to always apply the latest software updates and patches relevant to their environment. We encourage all customers to view the following link to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.
3. What does VMware do on a regular basis to secure its information?
VMware has a comprehensive Information Security Program in place. The Information Security Team is focused on effectively safeguarding VMware’s information, intellectual property, infrastructure, and users. The VMware Information Security Team effectively assesses and manages security risks across the enterprise based on the evolving landscape of threats, laws, regulations, and industry practices.
4.What does VMware do to ensure a secure customer virtual environment?
VMware uses a number of techniques during its software development cycle to improve upon the security of its products. These standard techniques include Threat Modeling, Static Code Analysis, Incident Response Planning, and Penetration Testing using both internal and external security expertise. VMware has an established security engineering group that integrates these techniques into the software development cycle, provides security expertise, guidance on the latest security threats and defensive techniques, and training within the development organization. This group is also responsible for driving VMware products through external security accreditations and certifications.
5. How are you keeping customers informed?
VMware will continue to update our public security blog with up-to-date communications and instructions, as well as inform customers through the VMware Product Support Center.