VMware issues 10.0 CVSS rating on vCenter Server vulnerability

scmagazine | April 13, 2020

VMware issues 10.0 CVSS rating on vCenter Server vulnerability
VMWare issued a warning and patch for a vulnerability in its VMware vCenter Server that maxed out the CVSS rating system by garnering a 10.0. The issue, CVE-2020-3952, centers on the vmdir that ships with VMWare vCenter Server as it does not properly implement access controls. To exploit this vulnerability a malicious actor would have to have network access to an affected vmdir deployment giving them the ability to extract highly sensitive information which then could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. Satnam Narang, principal research engineer at Tenable, pointed out that VMWare listed only a limited set of vCenter Servers affected by this flaw, specifically version 6.7 upgraded from version 6.0 and 6.5. Narang also suggested that by giving the flaw a 10.0 CVSS score VMWare likely believes it is easy to exploit.

Spotlight

Kit Colbert, who heads up VMware's cloud native apps, group explains Photon Platform and how it relates to vSphere integrated containers. Interviewed by Barton George, office of the CTO at Dell. Recorded at DockerCon, Seattle Washington, June 20-21.

Spotlight

Kit Colbert, who heads up VMware's cloud native apps, group explains Photon Platform and how it relates to vSphere integrated containers. Interviewed by Barton George, office of the CTO at Dell. Recorded at DockerCon, Seattle Washington, June 20-21.

Related News

VMWARE

JetStream DR for Microsoft Azure VMware Solution with Azure Blob Storage Now Generally Available

JetStream Software Inc. | November 19, 2021

JetStream Software Inc., an innovator in cloud-native disaster recovery (DR), announced its disaster recovery software, JetStream DR, which supports Microsoft Azure VMware Solution, is now generally available through the Azure Marketplace. JetStream Software has integrated its offerings with Azure Portal to deliver new DR capabilities for Azure VMware Solution, employing JetStream DR software along with Azure Blob Storage. JetStream DR protects VMware virtual machines (VMs) in the customer’s on-premises data center with failover and VM recovery in Azure VMware Solution. Additionally, VMware VMs already deployed to and running in Azure VMware Solution can be protected with VM failover and recovery to an alternate Azure VMware Solution data center. “By combining Microsoft Azure Blob Storage, Azure VMware Solution, and JetStream’s VMware-certified software, we can fully transform the economics of disaster recovery for the enterprise. At the same time, we are providing a compelling cloud-based solution ensuring enterprises can have the protection they need, both now and for the future.” Tom Critser, Co-founder and CEO, JetStream Software “Microsoft Azure is committed to working with leading third-party vendors to ensure our customers have the best options to meet their needs. We are pleased JetStream DR completed our rigorous testing process and is now generally available,” said Eric Lockard, Corporate Vice President, Azure Dedicated at Microsoft. “Disaster recovery and protection against ransomware are paramount issues for small and large businesses alike. JetStream DR provides a world-class solution utilizing the power and capabilities of Azure.” Enterprises that choose JetStream DR benefit from continuous data protection (CDP) in a disaster recovery service offering with lower infrastructure costs as the data from protected VMs are maintained in Azure Blob Storage. Support for Azure NetApp Files For customers who need to fail over quickly and recover large amounts of data, JetStream DR supports integration with Azure NetApp Files, the highly scalable storage file service in Microsoft Azure. This enables a much faster recovery time at a lower cost than provisioning additional vSAN hosts solely for the purpose of data storage. Meeting Market Needs JetStream DR enters general availability amid a coalescing of trends. Disaster recovery is ideally suited to move to the cloud, however, this transition has proven complex from a technical standpoint. JetStream DR is specifically designed for the cloud, enabling it to support capabilities such as maintaining recovery data in object/blob storage and dynamically provisioning compute resources when needed. This is something other first-generation DR companies can’t offer. Additionally, it is very expensive for enterprises to replicate data into a redundant system. If they can replicate data into an object store, as with JetStream DR, enterprises pay only a fraction of the cost per gigabyte compared to file system-based storage. This is especially advantageous at a time when enterprises are expected to do more with less. Furthermore, with risks arising daily magnified by new threat vectors, finding the best scalable disaster recovery solution has become a business imperative. How JetStream DR for Azure VMware Solution Works JetStream DR provides continuous data protection for VMware vSphere environments. The cloud-native software platform is specifically designed to provide the software infrastructure for an enterprise-grade DR service offering from a managed service provider (MSP) or cloud service provider (CSP). JetStream DR is validated for Azure VMware Solution and is VMware-ready, offering unique capabilities amongst DR solutions, including: Cost-Effective DR: Maintains VMs and their data in Azure Blob Storage, enabling enterprise-grade DR at a lower cost of operation. Agentless CDP: Captures and replicates data continuously via VMware IO Filters for continuous data protection without VM agents. vSphere to vSphere Recovery: Supports Azure VMware Solution, so customers no longer need to maintain their own failover site. They can fail over to Azure VMware Solution and fail back when the original protected data center is restored. Storage-Independent: Protects VMs with any VMware-compatible datastore types: block, file, vSAN, VVOL and third-party HCI. Live Failback: Returns VMs to the protected site from Azure VMware Solution without interruption to VMs’ operation or protection. Decoupled Design: Azure Blob Storage is more than just a journal or “cold data tier” — it is the repository for all VMs, data, configuration metadata, and recovery policies. About JetStream Software JetStream Software Inc., an innovator in cloud-native disaster recovery technology, gives enterprise customers, managed service providers (MSPs) and cloud service providers (CSPs) a better way to support business continuity across multi-cloud and multi-data center infrastructures. JetStream DR software is optimally suited to complement VMware-based cloud infrastructures including VMware Cloud Provider Partners and the VMware Cloud Foundation. JetStream Software is headquartered in San Jose, California, with a subsidiary in Bangalore, India. The company is privately held. JetStream DR and JetStream DR for Microsoft Azure VMware Solution are trademarks of JetStream Software Inc. VMware, vSphere and vSAN are registered trademarks or trademarks of VMware, Inc. in the United States and other jurisdictions. All other brand names and product names are trademarks or registered trademarks of their respective companies.

Read More

Verizon is First to Market with Global SD WAN Offer and Virtualized Services Globally

Verizon | September 08, 2020

International Data Corporation (IDC), the premier global provider of market intelligence, recognizes Verizon as a leader in the IDC MarketScape: Worldwide Managed SD WAN 2020 Vendor Assessment report1. Software-defined wide area networking (SD WAN) is a way for companies to create secure network connections utilizing a wide variety of underlying network technologies - commercial internet, wireless, private IP, etc. “The COVID-19 pandemic has proven the resilience of SD WAN extending to the remote worker, leveraging VPN connectivity and SD WAN gateways,” said Aamir Hussain, SVP Chief Product Officer Verizon Business. “SD WAN technology provides network awareness and can add layers of security that customers need now more than ever and we are proud to be recognized as a global leader in this area.”

Read More

SECURITY

Security Capabilities are a Critical Element to 5G Success

5G Americas | December 10, 2021

5G networks based on standard technical specifications from the Third Generation Partnership Project continue to be the most widely adopted and secure wireless cellular technology in existence. 5G Americas, the voice of 5G and LTE for the Americas announced the publication of a new white paper entitled ‘Security for 5G’ which details features and recommendations for securing 5G networks and provides an update on the security enhancements introduced by 3GPP in Releases 15 and 16. The increased speeds and lower latency of 5G networks are beginning to impact nearly every facet of life for consumers and enterprises. Fortunately, security has been the built into 5G right from its inception and has been required throughout its development, planning and deployment.” Chris Pearson, President of 5G Americas As increased bandwidth, higher data rates, and a surge of new devices and connections have made managing network security more complex, 5G Americas has provided nearly annual updates around the topic of security in wireless cellular networks. ‘Security for 5G’ is the latest update, building on prior work and focuses on evolving 5G security considerations. This white paper addresses emerging challenges and opportunities, making recommendations for securing 5G networks in the context of the evolution to cloud-based and distributed networks: 3GPP security enhancements in 5G 5G security considerations Zero-trust networks 3GPP Release 16 security enhancements Security for 5G vertical segments, such as transportation, manufacturing, and critical infrastructure Supply chain security Open RAN security Additionally, the white paper provides insight into securing 5G in private, public, and hybrid cloud deployment models. Topics such as orchestration, automation, cloud-native security, and application programming interface (API) security are addressed. The transition from perimeter-based security to a zero-trust architecture to protect assets and data from external and internal threats is also discussed. Pramod Nair, Technical Solutions Architect - Security, Cisco and 5G Americas group co-leader on the paper commented, “5G will allow operators to evolve toward new business models. For 5G to achieve its potential, organizations must embrace multi-layered security that goes far beyond 3GPP specifications by using a pragmatic, multi-layered approach. End-to-End Security should cater to RAN, SDN, MEC, and hybrid, multi-cloud deployments based on a cloud native architecture, secure CI/CD, and zero trust security for 5G.” Scott Poretsky, Director of Security, North America, Network Product Solutions at Ericsson and 5G Americas group co-leader further added, “5G continues to integrate with other key technology enablers. In the cloud’s multi-stakeholder environment, cloud-native function software vendors, platform vendors, mobile network operators, hyperscale cloud providers, and system integrators must collaborate to clearly define requirements, roles and responsibilities for implementing security architecture and controls.” About 5G Americas: The Voice of 5G and LTE for the Americas 5G Americas is an industry trade organization composed of leading telecommunications service providers and manufacturers. The organization’s mission is to facilitate and advocate for the advancement and transformation of LTE, 5G and beyond throughout the Americas. 5G Americas is invested in developing a connected wireless community while leading 5G development for all the Americas. 5G Americas is headquartered in Bellevue, Washington. 5G Americas’ Board of Governors Members include Airspan Networks Inc., Antel, AT&T, Ciena, Cisco, Crown Castle, Ericsson, Intel, Liberty Latin America, Mavenir, Nokia, Qualcomm Incorporated, Samsung, Shaw Communications Inc., T-Mobile US, Inc., Telefónica, VMware, and WOM.

Read More