VMWARE

CISA recommends VMware, F5 patches. Liquidity mining fraud. Strapi issues patched. TDI clarifies data incident.

CISA | May 20, 2022

CISA_recommends_VMware
VMware yesterday addressed issues in several of its products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. That these are more significant than the ordinary run of patches may be seen by the way the US Cybersecurity and Infrastructure Security Agency (CISA) has discussed them. Alert (AA22-138B), "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control" warns that "malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination." The Alert adds, "CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied." US Federal civilian agencies have until next Monday to identify and remediate the issues, and they're required to report completion no later than Tuesday.

Fraudulent liquidity mining.
Sophos describes the way the threat of fraudulent liquidity mining is shaping up in decentralized finance systems. "Legitimate liquidity mining exists to make it possible for decentralized finance (DeFi) networks to automatically process digital currency trades," Sophos explains, and criminals are using social engineering to abuse such systems to defraud cryptocurrency investors of their holdings.

More loosely regulated than conventional cryptocurrency exchanges, which use market makers and seek to ensure that sufficient reserves are on hand to back trades, DeFi exchanges use Automated Market Makers (AMMs). Sophos explains that "Smart contracts built into the DeFi network have to rapidly determine the relative value of the currencies being exchanged and execute the trade. Since there is no centralized pool of crypto for these distributed exchanges to pull from to complete trades, they rely on crowdsourcing to provide the pool of cryptocurrency capital required to complete a trade—a liquidity pool." Liquidity pool tokens, ("LP tokens") are used to represent the portion of the liquidity pool an investor contributed. But unethical DeFi operators can cancel the tokens (or simply not create a pool to back them in the first place), and this, Sophos observes, offers "ample opportunity for digital Ponzi schemes, fraudulent tokens, and flat-out theft."

CMS vulnerabilities disclosed and patched.
The Synopsys Cybersecurity Research Center (CyRC) has identified two vulnerabilities in Strapi. Strapi is an open-source headless content management system (CMS) Javascript software that enables developers to quickly design and build content-rich APIs. Both vulnerabilities involve authenticated users with access to the Strapi admin panel having access to private and sensitive data, such as email and password reset tokens. The first vulnerability allows for the authenticated user to view private and sensitive data for other admin panel users that have a relationship with content accessible to the authenticated user. The second vulnerability allows for the authenticated user to view private and sensitive data for API users if content types accessible to the authenticated user contains relationships to API users. The vulnerabilities are fixed in newer, updated versions of Strapi, and Synopsys has commended Strapi for its quick response to the discovery.

Texas Department of Insurance clarifies facts surrounding its data incident.
The Texas Department of Insurance (TDI) has sent around a fact sheet that clarifies a data incident the agency sustained earlier this year: "In January 2022, TDI found the issue was due to a programming code error that allowed internet access to a protected area of the application. TDI promptly disconnected the web application from the internet. After correcting the programming code, TDI placed the web application back online. The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI. Because we couldn't rule out access, we took steps to notify those who may have been affected." While data could have been accessed by unauthorized personnel, TDI has investigated and found that, "There is no evidence to date that there was a misuse of information."

Spotlight

VMware Cloud Marketplace enables customers to discover and deploy validated, third-party solutions on VMware-based platforms, across public, private and hybrid cloud environments. The marketplace catalog also includes hundreds of popular open-source solutions (such as Wordpress, Node.js and more), packaged and published by Bitnami.

Spotlight

VMware Cloud Marketplace enables customers to discover and deploy validated, third-party solutions on VMware-based platforms, across public, private and hybrid cloud environments. The marketplace catalog also includes hundreds of popular open-source solutions (such as Wordpress, Node.js and more), packaged and published by Bitnami.

Related News

VIRTUAL SERVER INFRASTRUCTURE

Scale Computing Continues to Deliver High-Performing, Scalable Edge Computing and IT Infrastructure to the Government Sector

Scale Computing | September 23, 2021

Scale Computing, a market leader in edge computing, virtualization, and hyperconverged solutions, announced ongoing momentum with customers in the public sector. The company’s HC3 Edge and IT infrastructure solutions continue to enable municipal institutions of all sizes to optimize operations with self-healing, automated infrastructure for all applications while protecting sensitive government data. “In today’s world, IT management is tasked more than ever with simplifying infrastructure and delivering solutions to employees and citizens that mitigate risks in a whole new way. IT departments need to ensure that hardware and software are reliable, remotely accessible, and protected against cyberthreats,” said Jeff Ready, CEO and co-founder of Scale Computing. “Scale Computing meets the complicated IT infrastructure demands of state and local governments. Our agile, reliable platforms can replace traditional IT infrastructure across any agency, any department, or any system, while driving out the high costs of downtime and system administration.” Scale Computing brings municipal institutions, including governments, government agencies, and other public institutions, into a new era of computing by revamping IT operations with a solution that simplifies management, protects sensitive government data, and helps deliver smart, digital services. Kitselas First Nation is a self-funded and self-governing nation, and one of the 14 Tsimshian tribes in British Columbia. After experiencing a flood, Kitselas First Nation needed new servers and a modern solution for simplicity, scalability, availability and disaster recovery. With only one person on the IT staff, they were also in need of powerful systems capable of running workloads with efficiency and speed, as well as an affordable, easy-to-use solution capable of maximizing uptime. Kitselas First Nation selected Scale Computing’s HC3 platform which provides them with simplified, highly affordable IT infrastructure with improved performance. Since implementation of Scale Computing HC3, Kitselas First Nation saved resources and 15% of time spent managing infrastructure, leading to an increase in time spent working on other projects. Scale Computing’s HC3 solution also provides Kitselas First Nation with disaster recovery and the ability to manage IT infrastructure without the need for local IT staff. Don Agnew, IT support and asset management officer at Kitselas First Nation, says, “We have an on-site backup and a Google Cloud Platform in Quebec. If another disaster strikes, the hardware component fails or the entire HC3 appliance breaks down, we’re covered. The Scale Computing HC3 cluster is highly available and keeps our systems running with no downtime. HC3 won’t let us down.” The Summit County Board of Elections in Ohio is responsible for securely managing the records of 370,000 registered voters and over one million citizen records. As Ohio’s fourth most populous county, the Summit County Board of Elections' entire network infrastructure is managed by a team of just two full-time IT professionals. With an aging server infrastructure and a heavily scrutinized Presidential election fast approaching in 2020, this IT duo needed to modernize their systems, comply with strict new security directives, and do so in an expedited time-frame. After selecting Scale Computing’s HC3 solution, the Summit County Board of Elections was able to consolidate seven servers to a cluster of three HC3 notes in less than seven months, implement automated snapshots of servers that are backed up to a remote cluster providing full system redundancy, simplify management and operations so their two-person IT team could focus on operational priorities, and comply with new state and Federal security directives. As Kevin Moreland, Network & Systems Administrator, Summit County Board of Elections says, “Every decision we make comes down to, ‘can you make it through a Presidential election’? We knew we needed something that was intelligent, scalable, had built-in redundancy, and was cost-effective. Scale has delivered on all of these and more. We went from an environment where we had about seven physical servers to a three node cluster. From that three node cluster, then we can spin up as many virtual servers as warranted by demand – this not only simplified our operational workload but it also dramatically shrunk our eco-footprint.” Chris Iseral, Chief Information Officer of Madison County, Kentucky, was challenged with upgrading old infrastructure in an affordable way. The infrastructure in Madison Country includes 700 users in 26 different facilities across the country, accounting for 23 different departments or agencies. Chris’ challenges included multiple vendors and an expensive, complicated, and aging infrastructure. Madison County, Kentucky partnered with Scale Computing to deliver high quality, responsive, and budget friendly infrastructure that simplifies management, protects sensitive government data, and helps deliver smart, digital services anywhere, anytime. As Chris Iseral says, “We wanted something highly available, redundant, scalable, affordable, and easy-to-use. We’re happier than we’ve ever been. Scale Computing has been an awesome product.” About Scale Computing Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Scale Computing HC3 software eliminates the need for traditional virtualization software, disaster recovery software, servers, and shared storage, replacing these with a fully integrated, highly available system for running applications. Using patented HyperCore™ technology, the HC3 self-healing platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime. When ease-of-use, high availability, and TCO matter, Scale Computing HC3 is the ideal infrastructure platform

Read More

VIRTUALIZED ENVIRONMENTS

NEXCOM and Enea Jointly Develop Open Source Software Kit for Secure SD-WAN

NEXCOM | January 19, 2021

Enea and NEXCOM have mutually built up an open source programming pack for secure SD-WAN, making it simple for frameworks integrators and correspondence specialist co-ops to assess and convey endeavor networks utilizing all inclusive client premises hardware. The unit incorporates flexiWAN, an open source SD-WAN application, and pfSense, an open source firewall, both virtualized to run on uCPE. Additionally included are robotization contents for onboarding and testing, just as broad how-to-guides. The open source software is configured for Enea's uCPE virtualization and management platform, Enea NFV Access, and two of NEXCOM's Intel-based whitebox appliances – DTA 1160 and TCA 5170B. The two equipment stages give distinctive systems administration limits at various value focuses, covering a wide scope of execution necessities for different use cases. NEXCOM's DTA 1160 depends on an Intel Atom processor and intended for lightweight, scale-out outstanding tasks at hand, while TCA 5170B depends on an Intel Xeon D processor for high virtualized execution. The two arrangements have been tried to meet throughput prerequisites of generally little and medium sized branches. The arrangement brief was made by Intel Corporation. Giving a total application structure, including open source Virtual Network Functions and every fundamental arrangement, the product pack altogether abbreviates the time expected to raise an answer on uCPE. It can undoubtedly be adjusted to oblige inclinations for explicit VNF merchants by supplanting the open source VNFs with other SD-WAN or firewall VNFs, or expanding them with extra applications. "Our collaboration with Enea is part of our strategy," says Allan Chiu, VP of Network & Communication Solutions at NEXCOM. "It allows us to bring pre-verified solution kits to the market for quick and easy adoption by end customers. We hope to increase our collaborative efforts in the years to come." "The demand for uCPE-based SD-WAN and security is growing rapidly, and this kit is a great way to shorten time-to-market," says Karl Mörner, Vice President of Product Management at Enea. "We think of it not only as a starter kit, but also as a complete, cost-effective software solution for deploying secure SD-WAN." "Leveraging the open source SD-WAN of flexiWAN allows vendors such as Enea and NEXCOM to ship their products pre-installed with a ready-to-use solution," says Amir Zmora, CEO and Co-Founder of flexiWAN. "The system automatically registers with flexiWAN's cloud management, and users can open a free account and start using the system." About Enea: Enea is one of the world's leading suppliers of innovative software for telecommunication and cybersecurity. Focus areas are cloud-native, 5G-ready products for data management, mobile video traffic optimization, edge virtualization, and traffic intelligence. More than 3 billion people rely on Enea technologies in their daily lives. Enea is headquartered in Stockholm, Sweden and listed on Nasdaq Stockholm. About NEXCOM: NEXCOM was founded in 1992 and is headquartered in Taipei, Taiwan. Integrating diverse capabilities, NEXCOM operates six global businesses, including the Network and Communication Solutions (NCS) unit, which focuses on high performance computing and network technology, and is committed to helping customers build network infrastructure. NCS's network application platform is widely adopted in CDN, Cyber Security Appliance, Load Balancer, uCPE, Router, SD-WAN, Edge Computing, Storage, NVR, and other network applications.

Read More

VIRTUAL SERVER INFRASTRUCTURE

SPEC Releases New SPECvirt Datacenter 2021 Benchmark

Standard Performance Evaluation Corporation (SPEC) | September 18, 2021

The Standard Performance Evaluation Corporation’s (SPEC) Virtualization Committee released the SPECvirt Datacenter 2021 benchmark, a new multi-host benchmark for measuring the performance of a scaled-out datacenter. The SPECvirt Datacenter 2021 benchmark uses real-world and simulated workloads to measure the overall efficiency of virtualization solutions and their management environments. The new benchmark complements the existing SPECvirt_sc 2013 server consolidation benchmark, which is designed for a single-host environment. Today’s datacenters use clusters of servers to ensure reliability, availability, serviceability, and security. Adding virtualization to a clustered solution enhances server optimization, flexibility, and application availability while reducing costs through server and datacenter consolidation. While the SPECvirt Datacenter 2021 benchmark enables analysis of these more complex multi-host environments, it is much easier to use than the SPECvirt_sc 2013 benchmark, providing a single virtual machine (VM) template to set up its harness and workloads. The SPECvirt Datacenter 2021 benchmark supports multiple hypervisor vendor solutions and ships with support for RHV 4.x and vSphere 6.x and 7.x. “The ongoing evolution of virtualized environments has made it imperative that suppliers and buyers have a fair, vendor-agnostic tool for measuring the performance of solutions that power virtualized multi-host infrastructures,” said David Schmidt, Chair of the SPEC Virtualization Committee. “The SPECvirt Datacenter 2021 benchmark is easy to use and creates an excellent foundation for examining and comparing performance in these complex environments that are increasingly becoming the norm.” The SPECvirt Datacenter 2021 benchmark provides a methodical way to measure a virtualization platform’s performance in a dynamic virtualized datacenter environment. It models typical, modern-day usage of virtualized infrastructure, such as VM resource provisioning, cross-node load balancing (including management operations such as VM migrations), and VM power on/off. The benchmark exercises datacenter operations under load and dynamically provisions new workload VMs from a preconfigured template or powers on existing VMs. As the load reaches maximum capacity of the cluster, hosts are added to the cluster to measure scheduler efficiency and maximize throughput. The SPECvirt Datacenter 2021 benchmark feature overview: Multi-host benchmark – Minimum of four hosts required, scales in increments of four. Datacenter operations model – Multi-workload benchmark measures performance of hypervisor infrastructure, including how the hypervisor manager controls resources. VM resource management – Handled by the hypervisor manager, including scheduling policies. Workload VMs powered on or deployed during benchmark. Ease of use – Single preconfigured template VM to set up harness and workloads. No tuning of guest OS/software necessary. Five real-world and simulated workloads – OLTP database, based on HammerDB benchmark Hadoop/Big Data cluster, based on BigBench benchmark Simulated departmental mail server Simulated departmental web server Simulated departmental collaboration server About SPEC SPEC is a non-profit organization that establishes, maintains, and endorses standardized benchmarks and tools to evaluate performance for the newest generation of computing systems. Its membership comprises more than 120 leading computer hardware and software vendors, educational institutions, research organizations, and government agencies worldwide.

Read More