More information needed for VMware security vulner...

abugeja · ‎04-17-2017

Hi,

is it just me or do VMware need more information in their security vulnerabilities they send out? Take the one that was sent out over the weekend. (VMSA-2017-0007). In short says it resolves a remote code vulnerability in BlazeDS. I would of thought they should provide further information than this. Such as do you need admin rights on the vCenter to run this code or on the ESXi host etc. Thoughts?

I compare to what Microsoft send out when they release security patches and I feel VMware is falling behind in this area.

abugeja · ‎04-19-2017

Surely im not the only one who reads the security bulletins from VMware then determine how critical it is to the environment?

Texiwill · ‎04-21-2017

Hello,

You are not. If you feel strongly about it, you should open up a support request to get the bulletins updated with more information. I have always gone back to CVE and looked up the issue there, then gone and found the actual attack description elsewhere. This way, I have done all my research. I would do that even if it was provided by the vendor as you then have corroboration on the CVE and its impact.

If you have a well segregated management environment the severity of this goes down significantly. BTW, we just covered the lowest hanging fruit of virtualization security on the Virtualization and Cloud Security Round Table Podcast on 4/20/17 (see below).

Best regards,
Edward L. Haletky aka Texiwill
VMware Communities User Moderator, VMware vExpert 2009-2017

Virtualization and Cloud Security Analyst: TVP Strategy

Blue Gears Blog: vSphere Upgrade Saga

Podcast: Virtualization and Cloud Security Round Table Podcast

GitHub: https://github.com/Texiwill

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

All

More information needed for VMware security vulnerabilities