Author Archives: Simon Bodger

New VMware Security Advisory VMSA-2015-0009

Today VMware has released the following new and updated security advisories:

New
VMSA-2015-0009 : VMware product updates address a critical deserialization vulnerability

Updated

VMSA-2015-0003.15 : VMware product updates address critical information disclosure issue in JRE
VMSA-2015-0008.1 : VMware product updates address information disclosure issue

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0008

Today VMware has released the following new security advisory VMSA-2015-0008 to address a information disclosure issue (CVE-2015-3269).

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0007

Today VMware has released the following new and updated security advisories:

New
VMSA-2015-0007 for CVE-2015-5177, CVE-2015-2342 and CVE-2015-1047

Updated
VMSA-2015.0006.1 has been updated to clarify the configurations that CVE-2015-6932 applies to.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0006

Today VMware has released the following new advisory

VMSA-2015-0006

This addresses a VMware vCenter Server LDAP certificate validation issue. For more information on setting up certificates with LDAP, please see http://kb.vmware.com/kb/2130915.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6932 to this issue.

Customers that are looking for updates to open source and/or third party software in a product release should refer to the release notes for the release.

New VMware Security Advisory VMSA-2015-0005

Today VMware has released the following new advisory

VMSA-2015-0005

This addresses an issue in VMware Workstation, Player and Horizon View Client for Windows that may lead to a host privilege escalation.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue.

Changes to Transparent Page Sharing completed and updated VMware Security Advisories

As previously posted (Oct 16Nov 24Dec 4 and Jan 27), VMware has introduced new TPS (Transparent Page Sharing) management options. Today’s ESXi 5.0 patch restricts TPS to individual VMs and disables inter-VM TPS by default unless an administrator chooses to re-enable it. Please see KB 2097593 for full details on the functionality.

Additionally VMware has today updated advisory VMSA-2015-0001.1.

Customers should review the updated security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware security advisory VMSA-2015-0002.

Today we released a new security advisory, VMSA-2015-0002.

The advisory documents CVE-2014-4632, a certificate validation vulnerability in VMware vSphere Data Protection (VDP).

Customers should review the advisory and direct any question to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

Changes to Transparent Page Sharing reminder and new and updated VMware Security Advisories

As previously noted (Oct 16 and Nov 24) VMware has introduced new TPS (Transparent Page Sharing) management options that give administrators more granular control over which Virtual Machines have the potential to share duplicate pages of memory with each other. The previous ESXi patch releases incorporated the additional functionality but did not change the default behavior. Todays update of ESXi 5.1 is the first release that restricts TPS to individual VMs and disables inter-VM TPS by default unless an administrator chooses to re-enable it. Please see KB 2097593 for full details on the functionality.

Additionally VMware has today released the following new and updated advisories:
New
VMSA-2014-0012 

Updated
VMSA-2014-0002.4
VMSA-2014-0008.2

The new advisory details the fix of a Cross Site Scripting issue (CVE-2014-3797), a certificate validation issue (CVE-2014-8371) and updates to third-party libraries in VMware vSphere.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Inter-VM Transparent Page Sharing ESXi default changing (reminder)

The additional Transparent Page Sharing (TPS) management capabilities that we discussed in our blog post of October 16 have been out for about a month for ESXi 5.1 and ESXi 5.5. The same capabilities for ESXi 5.0 will follow next month.

While the recent ESXi patches do not change any TPS setting, the upcoming ESXi Update/patch releases planned for 2014 and Q1 of 2015 will. As we explained in our previous TPS post, the default setting for inter-VM TPS will be such that TPS among virtual machines will no longer be enabled by default. Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan accordingly.

Also we would like to take the opportunity to mention that the capability of inter-VM TPS is not removed from ESXi and that it can be re-enabled either system wide or for groups of VMs by using the new salting mechanism (see KB 2091682).