Home > Blogs > VMware Security & Compliance Blog > Tag Archives: Security

Tag Archives: Security

New VMware Security Advisory VMSA-2017-0011

Today, VMware has released the following new security advisory:

VMSA-2017-0011 – Horizon View Client update addresses a command injection vulnerability”

This documents an important severity command injection vulnerability (CVE-2017-4918) in the service startup script that affects VMware Horizon View Client for Mac (versions 2.x, 3.x and 4.x ).

Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on the Mac OS X system where the client is installed.

VMware Horizon View Client for Mac 4.5.0 fixes this issue.

We would like to thank Florian Bogner from Kapsch BusinessCom AG for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0010 and Updated Security Advisory VMSA-2016-0024.1

On 6th of June 2017, VMware released the following new and updated security advisories:

VMSA-2017-0010 – vSphere Data Protection (VDP) updates address multiple security issues.

This new security advisory documents two issues.

VDP contains a deserialization issue (CVE-2017-4914). Exploitation of this issue may allow a remote attacker to execute commands on the appliance. VMware would like to thank Tim Roberts, Arthur Chilipweli, and Kelly Correll from NTT Security for reporting this issue to us.

VDP locally stores vCenter Server credentials using reversible encryption (CVE-2017-4917). This issue may allow plaintext credentials to be obtained. VMware would like to thank Marc Ströbel aka phroxvs from HvS-Consulting for reporting this issue to VMware.

These issues have been addressed in VDP 6.1.4 and 6.0.5.

VMware has released the following updated security advisory:

VMSA-2016-0024.1 – vSphere Data Protection (VDP) updates address SSH key-based authentication issue

This issue has been addressed in VDP 6.1.4 and 6.0.5.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0005

Today VMware has released the following new security advisory:

VMSA-2017-0005 – VMware Workstation and Fusion updates address out-of-bounds memory access vulnerability

The advisory documents a critical severity out-of-bounds memory access vulnerability (CVE-2017-4901). Exploitation of the issue may allow a guest to execute code on the operating system that runs Workstation or Fusion. ESXi is not affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2016-0010

Today VMware has released the following new security advisory:

VMSA-2016-0010 – VMware product updates address multiple important security issues

This addresses a DLL hijacking issue in Windows-based VMware Tools “Shared Folders” (HGFS) feature (CVE-2016-5330) and an HTTP Header injection issue in vCenter Server and ESXi (CVE-2016-5331).

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware releases OVAL content editor open source project

Hello Everyone,

Today, VMware releases SCAP 1.3 draft spec compliant Open Source project for OVAL content editor. A couple of months back VMware released an SCAP compliance assessment and remediation app for FREE. The security and compliance community loved it and came back to us asking for an easier and simpler way to write OVAL assessment rules and generate XCCDF out of it instead of handcrafting the XMLs. We listened and responded!

Continue reading

VMware releases STIG Compliance App for FREE

Hello Everyone,

I am pleased to announce the availability of VMware STIG Compliance App. Using this app, you can assess, remediate and harden remote *NIX machines in line with STIG (Security Technical Implementation Guide) or any other security configuration benchmark. The app is available as a container image.

The app supports and requires configuration benchmark to be in SCAP 1.2 format and is capable of performing XCCDF or OVAL assessments. The app uses OpenSCAP as the assessment engine and Ansible as the action engine for performing remediation and hardening.

Continue reading

VMware releases CJIS compliance toolkit in VCM for Windows based environments

VMware is pleased to announce the availability of automated compliance assessment toolkit for Criminal Justice Information Services (CJIS) security policy in VMware vRealize Configuration Manager (VCM). The toolkit aligns with CJIS Security Policy version 5.3 and maps to 92 checks on various MS-Windows flavors. Using the toolkit on VCM, various law enforcement agencies such as state, local, federal, and international partners, can quickly assess Windows configuration and compare with CJIS Security Policy requirements. Additionally, you can remediate the infringements with an effort of a few clicks. Get the product sheet!

Continue reading

VMware CP&C releases PCI DSS 3.1 Compliance toolkit in VCM for VMware vSphere 6.0 and other platforms!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of PCI DSS 3.1 compliance toolkits for VMware vSphere 6.0 and other platforms – Windows, *NIX, and VMware vSphere 5.5, 5.1 and 5.0 in VMware vCenter Configuration Manager (VCM). The toolkits consists of automated compliance rules to assess your environment against PCI DSS 3.1 requirements.

PCI Security Standards Council (PCI SSC) council quickly updated the standards from 3.0 to 3.1 in wake of SSL vulnerability on 15 Apr 2015. As per the announcement by the PCI council, the revision includes minor updates and clarifications, and addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. PCI DSS Version 3.1 is effective immediately following the publication, 15 Apr 2015. PCI DSS Version 3.0 will be retired on 30 June 2015.

Continue reading

VMware CP&C releases VMware vSphere 6.0 Hardening Guide Compliance toolkit in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of VMware vSphere 6.0 Hardening Guide Compliance toolkit in VMware vCenter Configuration Manager (VCM). The toolkit consists of automated compliance rules to assess your VMware vSphere 6 based virtualized environments against the hardening guide. It covers 100% of the hardening guide recommendations.

The hardening guide has three risk profiles that group the recommendations based on the sensitivity of your environment. You can pick the compliance toolkits for respective risk profile or get all the rules at once and then make modifications to suit your sensitivity category.

Continue reading

VMware Releases Security and Compliance Solution for Docker Containers

As more of VMware’s customers look to run containerized applications, some have raised the question of securing containers in their environments. In partnership with the Center for Internet Security (CIS), Docker and others, VMware has developed a security configuration benchmark for Docker containers that you can download from here.

In all, six parties came together to develop the benchmark — covering 84 recommendations — in just 12 weeks. The aim of this security benchmark, like any other hardening guide or security documentation for any other vendor or product, is to highlight configuration parameters and other secure deployment considerations. It is designed as a definitive reference guide for customers wanting to understand how to securely provision containers to Linux OSes in production.

CIS is an independent organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. At CIS, security configuration benchmarks are created using a consensus review process comprised of subject matter experts. The benchmark is a result of collaboration between various industry experts, a team of enthusiastic folks who worked closely to develop and corral a consensus set of guidance as well as leveraging resources such as blog posts, articles, internet resources, and Docker documentation. CIS facilitated the development efforts and guided us throughout the benchmark development process. Each recommendation was thoroughly vetted, tested and endorsed by the consensus team consisting of folks from CIS, VMware, Docker, Cognitive Scale, International Securities Exchange and Rakuten.

Assessing your Dockerized environments using VMware

However, having just a security benchmark is not enough. Customers also need a mechanism to evaluate containerized workloads against the benchmark and provide compliance visibility and reporting. The solution should also be able to assess diverse workloads hosted on heterogeneous Linux distributions.

VMware has developed such a solution within VMware vRealize Configuration Manager. It is designed as a compliance toolkit, and is the FIRST of its kind to assess containerized workloads against the CIS benchmark. The tool provides compliance health status for each Docker container, image, container host, Docker daemon, etc., against each automatable recommendation from CIS benchmark.

vRealize Configuration Manager covers 100% of the automatable recommendations in the benchmark – addressed here in depth – and even some that are not directly automatable. You can get a detailed listing of the rules available in the VMware solution in the product sheet attached here. 

Let’s dive into a comprehensive overview of the solution.

Continue reading