This topic is for operators who are deploying VMware Tanzu Operations Manager, and outlines VMware’s security policy. You can find a comprehensive overview of the security architecture of each VMware Tanzu Application Service for VMs (TAS for VMs) component in the TAS for VMs documentation.

How VMware monitors for security vulnerabilities

VMware receives private reports on vulnerabilities from customers and from field personnel through VMware’s secure disclosure process. VMware also monitors public repositories of software security vulnerabilities to identify newly discovered vulnerabilities that might affect one or more of VMware’s products.

How to report a vulnerability

VMware encourages users who become aware of a security vulnerability in VMware’s products to contact VMware with details of the vulnerability. Please send descriptions of any vulnerabilities found to the Tanzu Security Team using the procedure described in the VMware Security Response Policy. Include details about the software and hardware configuration of your system so that VMware can reproduce the issue.

VMware encourages use of encrypted email. For VMware’s public PGP key, see Security Response: VMware PGP Public Key for Security Alerts on the VMware Tanzu website.

Notification policy

Tanzu Operations Manager has many customer stakeholders who need to know about security updates. When there is a possible security vulnerability identified for a Tanzu Operations Manager component, VMware does the following:

1. Assess the impact to Tanzu Operations Manager.

2. If the vulnerability affects a Tanzu Operations Manager component, VMware schedules an update for the impacted components.

3. Update the affected components and perform system tests.

4. Announce the fix publicly through the following channels:

   1. Automated notification to end users who have downloaded or subscribed to a Tanzu Operations Manager product on Broadcom Support when a new, fixed version is available.
   2. Adding a new post to the Tanzu Security page.

Classes of vulnerabilities

Attackers can exploit vulnerabilities to compromise user data and processing resources. This can affect data confidentiality, integrity, and availability to different degrees. For vulnerabilities related to Ubuntu provided packages, VMware follows Canonical’s priority levels. For other vulnerabilities, VMware follows Common Vulnerability Scoring System v3.0 standards when assessing severity. For more information about Canonical’s priority levels, see CVE Priority in Ubuntu CVE Tracker. For more information about Common Vulnerability Scoring System v3.0 standards, see Common Vulnerability Scoring System version 3.1: Specification Document on the FIRST website.

VMware uses Canonical’s Ubuntu distribution of Linux for Tanzu Operations Manager Ubuntu stemcells and rootfs. Canonical provides VMware with support services allowing VMware to escalate CVEs that VMware determine might affect Tanzu Operations Manager. In general, VMware does not escalate to upstream open source software components or vendors for Medium or Low CVEs that are not yet patched. Tanzu Operations Manager can escalate on behalf of a customer for High or Critical CVEs. Tanzu Operations Manager customers who are interested in addressing CVEs in Ubuntu that are not yet patched can establish their own support relationship with Canonical through the Support page on the Ubuntu website.

VMware reports the severity of vulnerabilities using the following severity classes:

High

High severity vulnerabilities are those that can be exploited by an unauthenticated or authenticated attacker, from the Internet or those that break the guest/host Operating System isolation. The exploitation could result in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between Virtual Machines (VMs) and/or the Host Operating System. This rating also applies to those vulnerabilities that could lead to the complete compromise of availability when the exploitation is by a remote unauthenticated attacker from the Internet or through a breach of VM isolation.

Medium

Medium vulnerabilities are those in which the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data and/or processing resources.

Low

Low vulnerabilities are all other issues that have a security impact. These include vulnerabilities for which exploitation is believed to be extremely difficult, or for which successful exploitation would have minimal impact.

Release policy

VMware schedules regular monthly releases of software to address Low and Medium severity vulnerability exploits. When High severity vulnerability exploits are identified, VMware releases fixes to software as quickly as possible.

Alerts and actions archive

To review an archive of Tanzu Operations Manager vulnerability reports, see the VMware Product Vulnerability Reports on the Tanzu security page.