Security


DISA Releases VMware vSphere 6.7 STIGs – Version 1, Release 1

Reading time: 2 minutes
Almost exactly 3 years after vSphere 6.7 was released (April 17, 2018) and approximately 17 months prior to the end of General Support (October 15, 2022), the Defense Information Systems Agency (DISA) made available the first STIGs for VMware vSphere 6.7 on April 22, 2021. The STIGs can be downloaded from the Public DoD Cyber Exchange STIGs Document Library by searching for “VMware vSphere 6.7”. What’s New? Unlike the previous VMware vSphere 6.

VMSA-2020-0009: vRealize Operations Authentication Bypass and Directory Traversal Vulnerabilities

Reading time: 2 minutes
I just wanted to provide a quick post to bring attention to the latest VMware Security advisory VMSA-2020-0009. The products affected include: vRealize Operations 7.5.0 vRealize Operations 8.0.x vRealize Operations 8.1.0 If you utilize the vRealize Operations Application Remote Collector (ARC) appliance to monitor operating systems or applications via the Telegraf agents, you should immediately implement the workaround documented in VMware KB79031. While two vulnerabilities were announced, both relating to Salt, an open-source project by SaltStack, the authentication bypass vulnerability (CVE-2020-11651) received a CVSSv3 base score of 10.

DISA Releases Updated VMware vSphere 6.5 STIGs - Version 1, Release 2

Reading time: 1 minute
On October 25, 2019, the Defense Information Systems Agency has made available the first updates to VMware vSphere 6.5 STIGs released earlier this year. VMware vSphere 6.5 STIG Version 1, Release 2 includes updates to both the ESXi and the Virtual Machine STIGs. Per the revision history provided in the updated STIG download, the following changes were made: VMware vSphere 6.5 ESXi STIG V-94491, V-94493, V-94495, V-94497, V94499, V-94501, V-94503, V-94513, V94515,V-94517, V-94519, V-94521, V94523, V-94525, V-94527, V-94537, V94539, V-94541, V-94551, V-94553, V94555, V-94557, V-94049 - Removed multiple duplicate requirements in ESXi STIG.

vRealize Operations Compliance Alerts for the vSphere 6.5 ESXi STIG

Reading time: 6 minutes
As a follow-up to my previous post providing alert content for the VMware vSphere 6.5 Virtual Machine STIG Version 1, Release 1, I have also put together new alert content for the VMware vSphere 6.5 ESXi STIG Version 1, Release 1. See the link at the bottom of the page to download the alert content XML. The following STIG items cannot be verified by vRealize Operations because the checks are user process related, the configuration values are not currently collected by vRealize Operations, or the checks involve non-VMware assets (e.

vRealize Operations Compliance Alerts for the vSphere 6.5 Virtual Machine STIG

Reading time: 2 minutes
With the recent release of the VMware vSphere 6.5 Virtual Machine STIG Version 1, Release 1, I needed to create new vRealize Operations alert content to verify compliance of my virtual machines. Combined with the automated alert remediation process I described in a previous post, ensuring compliance with the new STIG requirements is easy. See the link at the bottom of the page to download the alert content XML. Unfortunately, the following STIG items can’t be verified by vRealize Operations either because the checks are user process related or the configuration values aren’t currently collected by vRealize Operations:

2 / 3

Search

Get Notified of Future Posts

Follow Me

Twitter Icon
LinkedIn Icon
RSS Icon

Recent Posts