Manage Learn to apply best practices and optimize your operations.

Should VMware vulnerabilities in JRE impede implementing virtualization?

Could recent VMware vulnerabilities in JRE hamper virtualization implementation? In this expert response, Michael Cobb explains that VMware attacks are theoretical at this point and shouldn't stop you from implementing virtualization if your risk assessment validates your decision.

VMware recently revealed a number of vulnerabilities related to the Java Runtime Environment (JRE). Do these vulnerabilities suggest that more are likely to come, and should they serve as a reason not to implement virtualization at this time?

VMware has advised of a number of vulnerabilities relating to problems in the Java Runtime Environment, several of which can be used by an attacker to compromise a system. Other major virtualization vendors have also released a number of patches in recent months. Although virtualization is not a new technology, it's only recently that its use has become widespread. As it's being used in a greater variety of configurations, it's not surprising that various vulnerabilities are now coming to light. Also, whenever the user base for a technology gains popularity, it starts to attract the interest of hackers who begin to aggressively search for vulnerabilities they can exploit.

A compromised hypervisor could give an attacker access to thousands of desktops sitting on a virtual server -- a frightening thought. And there have been some dramatic headline-catching demonstrations of how to break out of a guest operating system and into the host system "to wreak havoc on a host system's operating system." Joanna Rutkowska's Blue Pill virtual rootkit is "undetectable" as it installs on the hypervisor but these VM breakouts are still constrained to the laboratory. There are still no reports of major real-life VM security breaches. These attacks are theoretical at this point and fear for the future shouldn't stop an organization from implementing virtualization if a risk assessment validates the decision.

I have no doubt we will see more virtualization-related vulnerabilities come to light and this reinforces the need to adopt any technology in a structured manner with the usual rigors of standard security hardening. If you decide to go ahead with implementing virtualization, ensure that your IT team receives adequate training to cope with the differences in physical and virtual environments. It's not enough to simply apply existing policies and practices for securing physical servers to virtual servers. For example, security devices and policies will need to eliminate IP address dependencies, as IP addresses change far more frequently as VMs are created, retired or migrated.

There will also be some loss of network visibility inside the virtualization hosts. Traditional network security tools can't necessarily see the traffic that passes between VMs communicating with each other inside a single host. This makes it harder to monitor inappropriate traffic flows. Change management procedures will also need a full review to prevent VM sprawl where virtualization instances pop up with no one keeping track of them. I would certainly recommend implementing segmentation -- avoid mixing VMs that run across multiple zones with different security postures and requirements on one host system -- and isolate privileged VMs on their own network segment. Also monitor access to virtualization resources and all administrative activity, with any significant events triggering an alert.

There is little doubt that virtualization has many benefits and can offer reductions in the total cost of ownership but you will need to keep abreast of developments in threats to virtualized systems and research and innovations into securing them. VMware's Technical Resource Center is a good place to start as it has plenty of guidance on how to secure a virtual infrastructure.

For more information:

This was last published in February 2010

Dig Deeper on Virtualization security issues and threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.