Today VMware has released the following new security advisory:
The advisory documents a critical information disclosure vulnerability, CVE-2014-4624, which has been addressed in vSphere Data Protection 5.5.x last week.
Customers should review the security advisory and direct any questions to VMware Support.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
It is with great pleasure that I introduce our latest and greatest Compliance solution from VMware, vRealize Air Compliance!
vRAC gives you event driven compliance checks of your virtual infrastructure and tells you WHO made a non compliant change and when it occurred in near realtime! (As fast as the Seahawk’s defense making Peyton Manning choke in another Super Bowl loss)
The vRAC solution is based on SCAP content and takes minutes to install & allows you to set exceptions on the fly. We are making it available (BETA) to our customers as the audit community is starting to inspect the virtual infrastructure on a regular basis.
Check out the Dashboard and Score Cards:
See a recent rule failure (Went from compliant to non compliant):
Drill down to see who made the change with a time stamp:
Set Exceptions on the fly:
Check out the vRAC video here:
Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:
Cambio y Fuera!
VMware vRealize Air Compliance Product Manager – CISSP, ITIL, CCNA, MCPS, SCP
Today VMware introduced additional capabilities to manage Transparent Page Sharing (TPS). This addition was prompted by recent academic research that leveraged TPS to gain unauthorized access to data under certain highly controlled conditions.
We also announced that starting in December with the next ESXi Update release, TPS among virtual machines will no longer be enabled by default. Even though we believe the security risk associated with enabling TPS is very low, VMware strives to be “secure by default” wherever possible.
The upcoming changes to the default TPS settings are explained in VMware Knowledge Base (KB) article 2080735. Documentation for the additional TPS management capabilities can be found in KB 2091682.
Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan for the upcoming ESXi Update releases which no longer have TPS between VM’s enabled by default. Note also that many systems utilize the hardware capabilities in modern processors to facilitate memory sharing which means large pages will be used. Due to this, TPS is likely not used except in situations where there is memory overcommitment, see KB 1021095 for further details.
We would like to thank Gorka Irazoqui, Mehmet Sinan Inci and the Vernam lab for working with VMware and sharing their side-channel research.
The additional capabilities to manage Transparent Page Sharing are now available for ESXi 5.1, see KB 2091682.
Today, a new attack on SSL v3 dubbed POODLE was published. We’ve reviewed the issue and concur with the community that the issue is similar to the BEAST attack published in 2011 but more practical.
We will shortly issue a VMware Knowledge Base (KB) article for POODLE with similar guidance to that found in our BEAST KB article.
We’ve published VMware Knowledge Base 2092133 with the recommendation to disable SSL v3 in your browser.
Over the next few days we will begin a structured roll out to explicitly deny SSL v3 connections on all VMware websites and services. We support industry recommendations on disabling SSLv3 and requiring TLS for encrypted communication.
It is pleasing to announce the release of much awaited NSX-v 6.1 security hardening guide to the community for feedback and comments. Now, you can securely deploy NSX-v using the prescriptive guidelines mentioned in the guide.
Take your copy here. If you have something to say about it please write to firstname.lastname@example.org and we shall get back to you.
Thanks to all the contributors for its success!
Thanks and regards,
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+