This section covers security related questions and answers for VMware Unified Access Gateway.
Can I install third party agents and/or Anti-virus software on Unified Access Gateway?
No. Antivirus software or third party agents are not required on a Unified Access Gateway appliance and the use of such software is not supported and it applies to all VMware branded virtual appliances. For more information, see https://kb.vmware.com/s/article/80767 and https://kb.vmware.com/s/article/2090839.
Is Unified Access Gateway impacted by CVE-XXX-XXXX?
Unified Access Gateway leverages industry leading code scanning, software composition analysis and vulnerability scanning tools, and monitors industry feeds for newly identified potential vulnerabilities. If vulnerabilities are detected, they are addressed per the VMware Security Response Policy.
If required, customers can be notified according to responsible disclosure practices through a VMware Security Advisory (VMSA). You can subscribe to be notified about newly published advisories at https://www.vmware.com/security/advisories.html. You are encouraged to apply product updates regularly to benefit from the latest security, reliability, and feature improvements.
For more information about Unified Access Gateway releases, see Product Updates.
It is inevitable that after VMware virtual appliances such as Unified Access Gateway are released by VMware, Photon security updates will become available between release dates. The severity of these security updates is generic and mostly do not affect the security of Unified Access Gateway itself. This might be because Unified Access Gateway does not use the affected component or because the vulnerability is in a function of the component that Unified Access Gateway does not support. Performing dynamic unauthorized updates of these Photon components might destabilize the appliance and might introduce a new vulnerability that cannot be detected in the testing prior to release.
All VMware appliances are thoroughly tested and qualified based on the components and versions included with the original release. Updating or changing any components on a virtual appliance may therefore result in unexpected behavior of the system and hence unauthorized updates are not supported.
Consistent with other VMware-branded virtual appliances, VMware does not support any modifications or customizations to the underlying operating system and packages included in a VMware-branded Virtual Appliance. This includes adding, updating, or removing of packages, and utilizing custom scripts within the operating system of the appliance. For more information about VMware's policy for virtual appliances, see https://kb.vmware.com/s/article/2090839.
If a security vulnerability is identified by VMware, by a customer or by anyone else, there is a defined policy for reporting this and for VMware's response based on the severity as it applies to the particular product. For more information, see Security Response Policy.
A critical security vulnerability in a Photon component that is not used by Unified Access Gateway or does not apply to any functionality of Unified Access Gateway has no security significance and is therefore not critical in the context of Unified Access Gateway.
If a critical security vulnerability is determined to affect Unified Access Gateway, then VMware might release a patched version of the appliance in addition to providing the update in the next quarterly release. This can be for a critical issue that does apply to Unified Access Gateway for which there is no workaround. VMware publish security advisories from time to time to communicate such vulnerabilities.
How frequently does VMware release new Unified Access Gateway versions?
For more information, see Product Updates.
When are Photon package updates applied to Unified Access Gateway?
Every planned release of Unified Access Gateway contains up-to-date Photon and Java versions determined at the time the virtual appliance is built. Usually this is around 2 weeks prior to the General Availability (GA) date to give an opportunity for final cross functional team and security qualification to ensure the package version combinations work correctly together. Photon packages are updated even if the update was to address a vulnerability that does not apply to Unified Access Gateway.
Is there a mechanism with Unified Access Gateway to automatically download and apply critical Photon vulnerability updates?
Yes. This feature was added with version 2009. Occasionally, VMware might authorize the update of one or more OS packages to rectify a critical vulnerability that affects a specific version of Unified Access Gateway and for which no viable workaround is available. Starting from Unified Access Gateway version 2009 a new capability is available for the administrator to configure an automatic check for any authorized package updates. For more information, see Configure Automatic Check section in Product Updates.
If a scanner reports an out-of-date Photon package, does this mean Unified Access Gateway is vulnerable?
A scan report can sometimes indicate a vulnerability, but most times a report about a newer version of package being available is not applicable to Unified Access Gateway. This might be because the corrective action to mitigate the vulnerability has already been applied or the vulnerability is in a component not used or activated by Unified Access Gateway. Vulnerability scanners can be prone to false positives even if they are properly configured and kept up-to-date.
If there is a “false positive” vulnerability scan report, would applying the package update for that package make Unified Access Gateway more secure?
Applying the package update in these cases would make no difference as Unified Access Gateway is not vulnerable with "false positives" anyway. VMware does not support applying package updates to VMware branded virtual appliances. Updating or changing any components might result in unexpected behavior of the system.
Why does VMware not support customer modification/update of Photon packages on VMware branded virtual appliances?
- It could result in unexpected behavior of the system because of incompatibilities with other software on the appliance and backward compatibility issues with configuration.
- Updating a package could introduce a new security vulnerability that would not be detected during security testing prior to the original appliance release.
- For the "false positives", applying a package version update will make no security improvement.
The tests performed by VMware are on the set of components that make up the virtual appliance image exactly as originally released.
If I am concerned about a scanner vulnerability report, can I request information about it from VMware?
Most scanners work by identifying which product and version is running in the network and comparing that information to a list of publicly known vulnerabilities. Vulnerability scanners can be prone to false positives even if they are properly configured and kept up-to-date. A support request can be raised by a customer and VMware support along with VMware Security Response Center (vSRC) will respond and explain why the update does not apply to the particular appliance.
Does VMware regularly run scans on Unified Access Gateway appliances internally?
Yes. The VMware Security Development Lifecycle includes regular and automatic scans of appliances so that early analysis can be performed by VMware.
How often are Photon package versions updated?
Several Photon kernel and package updates are released every month. In most cases, these are not released for Unified Access Gateway and are batched up for release in the next planned Unified Access Gateway release.
If a critical Photon package or Unified Access Gateway software security vulnerability is identified that affects Unified Access Gateway, how can I get to know about it?
Customers can subscribe to VMware security advisories which are published to inform customers of action they must take to protect products against known vulnerabilities that affect VMware products.
What is VMware’s response if a Unified Access Gateway critical vulnerability is identified? Should I wait for the next planned version release?
VMware publishes the security response policy which defines response times for security vulnerabilities identified. The response time is based on the severity as it applies to a particular product. For example, a critical security vulnerability detected in Unified Access Gateway requires VMware to begin work on a fix or corrective action immediately. VMware will provide the fix or corrective action to customers in the shortest commercially reasonable time. A fix is delivered as a patch image release and the customer must upgrade to that version as soon as possible. Do not wait for the next planned release of Unified Access Gateway. In this case, VMware also publishes a security advisory and might also make the update available as an automatic update. See Security Response Policy.