Hi,
is it just me or do VMware need more information in their security vulnerabilities they send out? Take the one that was sent out over the weekend. (VMSA-2017-0007). In short says it resolves a remote code vulnerability in BlazeDS. I would of thought they should provide further information than this. Such as do you need admin rights on the vCenter to run this code or on the ESXi host etc. Thoughts?
I compare to what Microsoft send out when they release security patches and I feel VMware is falling behind in this area.
Surely im not the only one who reads the security bulletins from VMware then determine how critical it is to the environment?
Hello,
You are not. If you feel strongly about it, you should open up a support request to get the bulletins updated with more information. I have always gone back to CVE and looked up the issue there, then gone and found the actual attack description elsewhere. This way, I have done all my research. I would do that even if it was provided by the vendor as you then have corroboration on the CVE and its impact.
If you have a well segregated management environment the severity of this goes down significantly. BTW, we just covered the lowest hanging fruit of virtualization security on the Virtualization and Cloud Security Round Table Podcast on 4/20/17 (see below).
Best regards,
Edward L. Haletky aka Texiwill
VMware Communities User Moderator, VMware vExpert 2009-2017
Virtualization and Cloud Security Analyst: TVP Strategy
Blue Gears Blog: vSphere Upgrade Saga
Podcast: Virtualization and Cloud Security Round Table Podcast
GitHub: https://github.com/Texiwill