Security

Almost exactly 3 years after vSphere 6.7 was released (April 17, 2018) and approximately 17 months prior to the end of General Support (October 15, 2022), the Defense Information Systems Agency (DISA) made available the first STIGs for VMware vSphere 6.7 on April 22, 2021. The STIGs can be downloaded from the Public DoD Cyber Exchange STIGs Document Library by searching for “VMware vSphere 6.7”. What’s New? Unlike the previous VMware vSphere 6.

The annual VMworld conference always includes large product announcements, and in line with this history, VMware today has announced their intent to acquire SaltStack. Salt is a python-based open-source platform for event-driven IT automation, remote task execution, and configuration management platform that utilizes infrastructure as code. Salt originated from the need for high-speed data collection and task execution for systems administrators managing massive infrastructure scale and resulting complexity. SaltStack is the company that now maintains the Salt Open project and develops and sells SaltStack Enterprise software, services, and support.

I just wanted to provide a quick post to bring attention to the latest VMware Security advisory VMSA-2020-0009. The products affected include: vRealize Operations 7.5.0 vRealize Operations 8.0.x vRealize Operations 8.1.0 If you utilize the vRealize Operations Application Remote Collector (ARC) appliance to monitor operating systems or applications via the Telegraf agents, you should immediately implement the workaround documented in VMware KB79031. While two vulnerabilities were announced, both relating to Salt, an open-source project by SaltStack, the authentication bypass vulnerability (CVE-2020-11651) received a CVSSv3 base score of 10.

On April 23, 2020, the Defense Information Systems Agency (DISA) has made available the third update to VMware vSphere 6.5 STIGs originally released in 2019. VMware vSphere 6.5 STIG Version 1, Release 4 includes minor updates to both the ESXi and the vCenter Server STIGs. Per the revision history provided in the updated STIG download, the following changes were made: VMware vSphere 6.5 ESXi STIG V-100543 – Reinstated requirement The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

On January 16, 2020, the Defense Information Systems Agency has made available the second update to VMware vSphere 6.5 STIGs released in 2019. VMware vSphere 6.5 STIG Version 1, Release 3 includes updates to both the ESXi and the vCenter Server STIGs. Per the revision history provided in the updated STIG download, the following changes were made: VMware vSphere 6.5 ESXi STIG V-94505, V-94507, V-94529, V-94531, V-94543, V-94545 - Added N/A statement when host profiles are not used to join AD These STIGs checks all relate to the authentication of users to ESXi using Active Directory.