Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: April 2014

Monthly Archives: April 2014

Updated VMware Security Advisory VMSA-2014-0002.2

Today VMware has released the following updated security advisory:

VMSA-2014-0002.2

The advisory was updated to document the release of an ESXi 5.1 patch that addresses CVE-2013-5211, “DDoS vulnerability in NTP third party library”. VMware Knowledge Base article 2070193 provides mitigation for this issue and documents when vSphere components are affected.

The ESXi 5.1 patches released today are not related to the OpenSSL Heartbleed issue (ESXi 5.1 and below are not affected by this issue). The product releases and patches remediating the Heartbleed issue have concluded and are all documented in VMware Security Advisory VMSA-2014-0004.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMware among founding members of the Core Infrastructure Initiative

We are happy to announce that VMware is one of the founding members of the Core Infrastructure Initiative. This project hosted by the Linux Foundation will fund open source projects that are critical to core computing and Internet functions. Over time, the project will help make open source software more secure, which will benefit our customers, partners, users, and just about anyone who goes online.

Core Infrastructure Initiative explained
The Core Infrastructure Initiative will fund and support critical elements of the global information infrastructure. Its first beneficiary is OpenSSL, by funding support for its key developers and providing other resources. The goal is to improve its security, to create an external feedback mechanism and to streamline the release process.
Open source software projects that will receive funding will be selected by the Steering Committee of the Core Infrastructure Initiative, made up of supporters, community developers, and industry stakeholders. The committee will approve the funding level and oversee the roadmap and is guided by an advisory board of key open source developers and community members.
The Linux Foundation organized the Core Infrastructure Initiative to guarantee that open source projects remain independent and keep their community-based focus. Read more about the initiative in the Core Infrastructure Initiative FAQ.

VMware and the Core Infrastructure Initiative
VMware and eleven other leading infrastructure companies support the Core Infrastructure Initiative. Our support allows us to contribute directly to the security of open source software that is used in our products.
VMware has a longstanding commitment to working with the open source community, and our developers participate in several open source projects. By participating in the Core Infrastructure Initiative we are strengthening these ties and proactively working on the security of open source software.

New VMware Security Advisory VMSA-2014-0004 (Heartbleed)

Today VMware has released the following new security advisory:

VMSA-2014-0004

This advisory list the VMware product updates and patches that address the OpenSSL Heartbleed issue, CVE-2014-0160. It is only the first release of the advisory with several more to come, as we will release more product updates and patches this week.

In order to remediate the issue, follow these steps:
Deploy the VMware product update or product patches that address CVE-2014-0160
Replace certificates
Reset passwords
The advisory lists product-specific references to installation instructions and certificate management documentation.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2014-0003 and updated advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0003
Updated
VMSA-2014-0002.1

The new advisory details two security vulnerabilities in vSphere Client, CVE-2014-1209 and CVE-2014-1210. In order to remediate these issues, existing vSphere clients will need to be replaced by the newly released versions.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Note:
The new and updated advisories released today are not related to the OpenSSL Heartbleed issue, CVE-2014-0160. VMware is working on remediation of this issue and update releases that address this issue will be documented in a new VMware Security Advisory.
Currently VMware Knowledge Base article 2076225 provides the latest status on VMware products and services and the OpenSSL Heartbleed issue.

VMware products and the Heartbleed OpenSSL issue, CVE-2014-0160

We have just posted VMware Knowledge Base article 2076225 with the results of our ongoing investigation into the Heartbleed OpenSSL issue. We will update the article during the investigation. VMware has products that ship with OpenSSL 1.0.1 and that are affected by the issue.

Customers are advised to review the article and direct any questions to VMware Support.

VMware CP&C releases PCI DSS 3.0 Compliance toolkit for Windows Environments in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of Payment Card Industry Data Security Standard (PCI DSS) 3.0 Compliance toolkit for Windows Environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops) suite.

PCI DSS 3.0 comes into effect from January 1, 2014. PCI DSS 3.0 compliance toolkit for VMware vSphere based virtual environment and PCI DSS 3.0 Compliance toolkit for *NIX based environments were released earlier this year.

PCI DSS 3.0 compliance Windows toolkits are available for below environments:

Windows Server 2003 (DC and MS)
Windows Server 2003 R2 (DC and MS)
Windows Server 2008 (DC and MS)
Windows Server 2008 R2 (DC and MS)
Windows Server 2012 (DC and MS)
Windows Server 2012 R2 (DC and MS)
Windows 7
Windows 8
Windows 8.1

*Legends*
DC = Domain Controller
MS = Member Server

You can download the packages using Compliance Content Wizard tool in VCM or from VMware solution exchange and begin to use them.

Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content. With new additions such as Scripted Remediation Framework, high level of OS patch automation with auto deploy functionality, Easy install and setup, SCAP based compliance and a new look and feel, it is better than ever before!

Come, join the journey to Start Green Stay Green!

Thanks and regards,
Pravin Goyal,
RHCE | HP-UX CSA | VCP4-DCV | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F