VMware security advisories now behind bureaucratic Broadcom barricade

If it ain't broke, make it less accessible

Updated Much to the chagrin of security pros, VMware security advisories are now only viewable if users sign up for a Broadcom Support account first.

Granted, it's free to register a support account, but the change, which was announced earlier this week, may create added friction for infosec professionals looking for details on the bugs they need to squish.

Update on May 9

Broadcom appears to have had a change of heart, and the VMware advisories are visible to world-plus-dog after all. "We’ve learned that it is NOT needed to login into the Broadcom Support Portal to see a list of VMware Security Advisories," says the virtualization house's Monty Ijzerman.

You can find security notices for the following products here without having to login:

Our original article, written prior to this new-found transparency, follows.

VMware announced the change on Tuesday via a blog post that didn't specify the reason for what will be perceived to be a step backward in openness and transparency. We asked Broadcom, its new owner, for further details but it didn't immediately reply.

URLs for older VMware security advisories will still work, so there's no need to change any browser bookmarks, they'll just instead redirect to the Broadcom Support Portal.

End-user computing (EUC) products are the only exception here. Security advisories for these will still appear in the old feed and won't be made available inside Broadcom's Support Portal.

Even better news: there are plans in place to allow Broadcom Support accounts to receive automatic notifications about new or modified advisories, but that feature isn't working yet.

"Based on customer entitlements and customer settings, the Support Portal will send out notifications to customers that have signed up to receive notifications for new or modified security advisories," blogged Monty Ijzerman, staff technical program manager at VMware's product security incident response team. 

"However, at this time, Support Portal is not yet prepared to send out these notifications when a VMware Security Advisory is published or modified."

Infosec experts widely criticized the move. The main concerns are weakened transparency around security, and some feel it may make the job of aggregating exposure to vulnerabilities a more difficult task.

X post from upset infosec expert

X post from upset infosec expert

Speaking to The Register, application security expert Sean Wright said: "This is yet another move in a list of recent changes that Broadcom has made which may cause some controversy. While I understand their desire to move the VMWare brand under their own brand, their approach is questionable.

"While it appears that individual vulnerabilities are publicly available on the Broadcom Support Portal, it will make it harder for security teams to keep track of all vulnerabilities across their VMWare product estate. Many will be unwilling to create yet another account for this purpose.

"Also worth asking is how mechanisms such as RSS feeds would work, or if at all. Many teams will rely on such mechanisms to have some form of automation for new advisories. Ultimately for some, this may turn out to be yet another reason to look to other alternative products."

Some have gone so far as to call on national security agencies in the EU and US to halt Broadcom's latest move, saying "this is not acceptable." 

CISA's official stance on information sharing is that it is "essential to furthering cybersecurity for the nation." It says information should be shared rapidly and seamlessly, and it appears Broadcom's efforts to account-wall its security information may go against this widely accepted industry ideal.

Beyond the negativity directed toward the changes around security advisory accessibility, VMware customers and channel partners have voiced myriad concerns about Broadcom's acquisition.

Fears of what could become of VMware were rife long before the 2023 acquisition by Broadcom, which was perceived by Symantec customers as a company that worsens the entities it absorbs.

Sysadmins told us back in 2022 that following Broadcom's takeover of Symantec, product evolution had slowed and prices were driven up. Industry sources suspected that these were to discourage unwelcome customers.

Similar fears surrounded the situation at VMware. Broadcom soon did away with VMware's perpetual licenses, favoring a subscription model. For context, VMware was planning to switch to subscriptions before Broadcom entered the equation, and a lifeline was thrown to customers already on these licenses.

That didn't stop European cloud trade body CISPE from criticizing Broadcom for the move. Its gripe wasn't with subscriptions, but the company's framing of the changes as pro-innovation and pro-competition.

CISPE said Broadcom was ignoring the concerns about packaging products together, meaning customers could be paying for products they don't want. It also raised concerns about price hikes, which El Reg sources have previously said to be in the 500 to 600 percent region. Some customers' license costs have risen from $8 million to $100 million, we're told.

The trade body also said Broadcom's changes were anti-cloud, requiring cloud services providers to license a minimum of 3,500 cores and a minimum three-year contract.

Separate security issues were also raised, specifically that the patch support for VMware perpetual license holders was "insulting in its limitations," CISPE said. Only patches for critical vulnerabilities would be offered unless customers moved to a subscription. CISPE said this "verges on racketeering."

Broadcom insists it's committed to providing value for customers and partners, and that it has taken customer feedback into account with its offerings. ®

More about

TIP US OFF

Send us news


Other stories you might like