Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: October 2014

Monthly Archives: October 2014

New VMware Security Advisory VMSA-2014-0011

Today VMware has released the following new security advisory:

VMSA-2014-0011

The advisory documents a critical information disclosure vulnerability, CVE-2014-4624, which has been addressed in vSphere Data Protection 5.5.x last week.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Introducing VMware’s vRealize Air Compliance (vRAC)

Hola Peeps,
It is with great pleasure that I introduce our latest and greatest Compliance solution from VMware, vRealize Air Compliance!
vRAC gives you event driven compliance checks of your virtual infrastructure and tells you WHO made a non compliant change and when it occurred in near realtime! (As fast as the Seahawk’s defense making Peyton Manning choke in another Super Bowl loss)
The vRAC solution is based on SCAP content and takes minutes to install & allows you to set exceptions on the fly. We are making it available (BETA) to our customers as the audit community is starting to inspect the virtual infrastructure on a regular basis.

Sign up for the vRAC BETA here:

http://vrealizeair.vmware.com/compliance

Check out the Dashboard and Score Cards:

Dashboard

See a recent rule failure (Went from compliant to non compliant):

RecentRuleFail

Drill down to see who made the change with a time stamp:

WhoMadeChange

Set Exceptions on the fly:

Exception

Check out the vRAC video here:

https://www.youtube.com/watch?v=-Au0eec2hkU

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:

Cambio y Fuera!
George Gerchow
VMware vRealize Air Compliance Product Manager – CISSP, ITIL, CCNA, MCPS, SCP

 

 

Transparent Page Sharing – additional management capabilities and new default settings

Today VMware introduced additional capabilities to manage Transparent Page Sharing (TPS). This addition was prompted by recent academic research that leveraged TPS to gain unauthorized access to data under certain highly controlled conditions.

We also announced that starting in December with the next ESXi Update release, TPS among virtual machines will no longer be enabled by default. Even though we believe the security risk associated with enabling TPS is very low, VMware strives to be “secure by default” wherever possible.

The upcoming changes to the default TPS settings are explained in VMware Knowledge Base (KB) article 2080735. Documentation for the additional TPS management capabilities can be found in KB 2091682.

Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan for the upcoming ESXi Update releases which no longer have TPS between VM’s enabled by default. Note also that many systems utilize the hardware capabilities in modern processors to facilitate memory sharing which means large pages will be used. Due to this, TPS is likely not used except in situations where there is memory overcommitment, see KB 1021095 for further details.

We would like to thank Gorka Irazoqui, Mehmet Sinan Inci and the Vernam lab for working with VMware and sharing their side-channel research.

11/05 Update
The additional capabilities to manage Transparent Page Sharing are now available for ESXi 5.1, see KB 2091682.

CVE-2014-3566 aka POODLE

Today, a new attack on SSL v3 dubbed POODLE was published. We’ve reviewed the issue and concur with the community that the issue is similar to the BEAST attack published in 2011 but more practical.

Like the BEAST attack, to exploit this vulnerability the attacker must have the capability to run his javascript in the victim’s browser and to be able to Man-in-the-Middle the connection between the client and server.  At this time we view this as a browser-based attack and do not see direct relevance to VMware’s products.

We will shortly issue a VMware Knowledge Base (KB) article for POODLE with similar guidance to that found in our BEAST KB article.

10/15 Update
We’ve published VMware Knowledge Base 2092133 with the recommendation to disable SSL v3 in your browser.

10/16 Update
Over the next few days we will begin a structured roll out to explicitly deny SSL v3 connections on all VMware websites and services. We support industry recommendations on disabling SSLv3 and requiring TLS for encrypted communication.

NSX-v 6.1 security hardening guide released for community feedback!

Hi All,
It is pleasing to announce the release of much awaited NSX-v 6.1 security hardening guide to the community for feedback and comments. Now, you can securely deploy NSX-v using the prescriptive guidelines mentioned in the guide.

Take your copy here. If you have something to say about it please write to nsxhgcomments@vmware.com and we shall get back to you.

Thanks to all the contributors for its success!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+