VMware Security Advisory

VMSA-2020-0026 – ESXi, Workstation, and Fusion Vulnerabilities

VMware has released a new security advisory VMSA-2020-0026: VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005).

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-4004 to the use-after-free vulnerability in XHCI USB controller and CVE-2020-4005 to the VMX elevation-of-privilege vulnerability.

Read More
Performance

12 Performance Tips for Your Virtual Machine

I spent my fair amount of years in IT operations, staying around enterprise VMware infrastructure for about a decade. During this period, I worked with development environments (with crazy stuff like developers running Visual Studio, Jenkins CI/CD pipelines, and automation testing clusters on top of Citrix XenApp farms on top of vSphere). I also worked with production infrastructures ranging from usual CRM and ERP applications to performance-hungry financial and real-time telco-grade applications.

Irrespective of the environment, there was always that user complaining about the slowness of a particular VM. It was not a general performance issue, but specific to one VM. And you know what? Sometimes the user was right and the performance of the VM was subpar. The easiest “solution” would be to add more resources and this was at many times the path supported by the user. “I don’t have enough processing power, give me 4 more virtual CPUs”. Sometimes it is the proper solution. But often these are just resources going out of the door. In fact, all you need to recover the performance is to tune your virtual machine configuration.

In this article, I want to highlight 12 areas worth checking at the virtual machine configuration. If nothing works, then you can look into changes that get easily translated into real money. I will not touch any configuration at a level above the VM and nothing at the operating system level.

Read More
VMware Security Advisory

VMSA-2020-0023 – VMware ESXi, Workstation, Fusion and NSX-T Vulnerabilities

VMware has released a new security advisory VMSA-2020-0023: VMware ESXi, Workstation, Fusion, NSX-T, and vCenter Server Appliance updates address multiple security vulnerabilities. VMware Cloud Foundation is also an impacted product.

ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

OpenSLP as used in ESXi has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. If you can’t upgrade to the fixed version, as a workaround you can disable CIM server, documented in VMware KB 76372.

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202010401-SG
  • ESXi 6.5 – update to ESXi650-202010401-SG
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to 3.10.1.1
Read More
VMware PowerCLI 12.1.0

VMware PowerCLI 12.1.0

Six months after the previous version of PowerCLI, VMware released the new VMware PowerCLI 12.1.0. I will cover in this article the improvements brought by PowerCLI 12.1.0 and the easy installation process on both Windows and Linux. For full documentation on this version of PowerCLI you can check the code.vmware.com page.

PowerCLI 12.1.0 Changes

New features and updates:

  • New cmdlets have been added to the VMware.VimAutomation.WorkloadManagement module: Get-WMCluster, Set-WMCluster, Enable-WMCluster, Disable-WMCluster.
  • New cmdlets have been added to the VMware.VimAutomation.Core module for managing vSphere Lifecycle Manager: Get-LcmImage, Test-LcmClusterCompliance, Test-LcmClusterHealth.
  • Existing cmdlets from VMware.VimAutomation.Core module have been improved: New-Cluster, Set-Cluster, New-ContentLibraryItem, Set-ContentLibraryItem, New-VM, Set-VM, New-Datastore, New-HardDisk, Get-NetworkAdapter, Get-VirtualNetwork, Set-ScsiLun.
  • New cmdlets have been added to the VMware.VimAutomation.Vmc module for specifying cluster’s EDRS policies: Get-VmcClusterEdrsPolicy, Set-VmcClusterEdrsPolicy.
  • Existing cmdlets from VMware.VimAutomation.Vmc module have been improved: New-VmcSddc, Add-VmcSddcHost, Remove-VmcSddcHost.
  • New cmdlets have been added to the VMware.VimAutomation.Storage module for managing vSAN secure disk wipe: Start-VsanWipeVsanDisk, Get-VsanWipeDiskState, Stop-VsanWipeVsanDisk.
  • New cmdlets have been added to the VMware.VimAutomation.Storage module for managing Cloud Native Storage volumes: Get/New/Set/Remove-CnsVolume, New-CnsContainerCluster, New-CnsKubernetesEntityReference, New-CnsKubernetesEntityMetadata, New-CnsVolumeMetadata, Add-CnsAttachment, Remove-CnsAttachment.
  • New cmdlet has been added to the VMware.VimAutomation.Storage module for managing Virtual Volume (vVol) storage containers: Get-VvolStorageContainer.
  • Existing cmdlets from VMware.VimAutomation.Storage module have been improved: Set-VsanClusterConfiguration, Get-VsanClusterConfiguration, Get-VsanSpaceUsage, Get-VasaStorageArray, Get-VasaProvider.
  • Existing cmdlets from VMware.VimAutomation.Security module have been improved: Get-TrustedClusterAppliedStatus, Set-TrustedCluster, New-TrustAuthorityKeyProvider, Set-TrustAuthorityKeyProvider, Set-TrustAuthorityTpm2AttestationSettings, Add-TrustedClusterAttestationServiceInfo, Add-TrustedClusterKeyProviderServiceInfo, Remove-TrustedClusterKeyProviderServiceInfo, Remove-TrustedClusterAttestationServiceInfo.
  • Added to the supported list in the compatibility matrix: vCenter Server 7.0 U1, vSAN 7.0 U1, vSphere 7.0 U1, Site Recovery Manager 8.3 and 8.3.1, Horizon 7.13
  • Removed from the supported list in the compatibility matrix: vCloud Director for Service Providers 9.5, Site Recovery Manager 6.1.1, vRealize Operations Manager 6.6.1 and 6.7
Read More
VMworld 2020

VMworld 2020 – Which Sessions to Attend?

VMworld 2020 is just around the corner. In this COVID-19 world everything moved online and so does VMworld. Make sure to register to VMworld 2020 and reserve in your calendars the period 29th September to 1st October.

This year, VMware offers two types of access to VMworld:

  • General Pass – includes access to 500+ on-demand VMworld sessions – free of charge
  • Premier Pass – everything General Pass has plus access to roundtables, limited capacity sessions, birds of a feather (informal discussions), hand-on-labs, 1:1 expert consultations  – priced at $299

Few days ago, VMware made available the scheduler, so I will base this article on my selection of VMworld sessions, in no particular order. I have a free General Pass, so I will not touch anything reserved to Premier Pass. 14 sessions spread across 3 days, covering topics as private and public cloud, networking and security, containers, hyper-converged infrastructure, and career.

Read More
vCenter Server 7.0.0b

VMware vCenter Server 7.0.0b

VMware released a new vCenter Server version: 7.0.0b, 7.0.0.10400, build 16386292. In this article I cover the resolved issues and I show how easy is to update from the previous version of vCenter Server 7.0.0 to the latest 7.0.0b.

In case you are looking for an upgrade demonstration from vCenter Server 6.7 to vCenter Server 7.0.0, you can check my other article: How to Upgrade vCenter Server Appliance from 6.7 to 7.0 – Stage 1.

If you want to install vCenter 7.0.0, please check How to Install VMware vSphere 7.0.

vCenter Server 7.0.0b – Resolved Issues

vCenter Server 7.0.0b introduces two new features:

  • It adds a Replication State Change alarm to the vCenter Server Appliance that displays when a replication state changes to READ_ONLY.
  • You can use the Show only rollup updates toggle button to filter and select patches that you want to include in a baseline when using the vSphere Lifecycle Manager.

This release of vCenter Server delivers the following patch:

  • VMware-vCenter-Server-Appliance-7.0.0.10400-16386292-patch-FP.iso
Read More
vCenter Server 7.0.0a

VMware vCenter Server 7.0.0a

VMware released a new vCenter Server version: 7.0.0a, 7.0.0.10300, build 16189094. In this article I cover the resolved issues and I show how easy is to update from the previous version of vCenter Server 7.0.0 to the latest 7.0.0a. I also include few images with the new update notification features from vSphere Client.

In case you are looking for an upgrade demonstration from vCenter Server 6.7 to vCenter Server 7.0.0, you can check my other article: How to Upgrade vCenter Server Appliance from 6.7 to 7.0 – Stage 1.

vCenter Server 7.0.0a – Resolved Issues

This release of vCenter Server 7.0.0a delivers the following patch:

  • Patch for VMware vCenter Server Appliance 7.0.0a (VMware-vCenter-Server-Appliance-7.0.0.10300-16189094-patch-FP.iso)

The patch resolves a vSAN issue: vSphere Lifecycle Manager and vSAN File Services cannot be simultaneously enabled on a vSAN cluster. With vCenter Server 7.0.0a you can enable both vSAN File Services and vSphere Lifecycle Manager at the same time on a cluster.

Upgrade from vCenter Server 6.7 Update 3g to vCenter Server 7.0.0a is not supported. Upgrade is supported though from older versions of vCenter Server 6.7. You can check KB67077 for the upgrade matrix.

Read More
Install vSphere 7.0

How to Install VMware vSphere 7.0

In this article I will show you how to install VMware vSphere 7.0. If you are looking for instructions about how to install the older version vSphere 6.7, you can find them here.

To begin with, you need an installation iso for vSphere 7.0, which you can download from your My.VMware account. I downloaded VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso (vSphere 7.0 build 15843807). I will install vSphere into a virtual machine (don’t do this in production, this is a configuration unsupported by VMware, but often seen in home labs), so I will just mount the iso file into the CD drive and power on the VM.

Install VMware vSphere 7.0

As soon as the VM boots, you will see a “Loading ESXi installer” screen:

Install vSphere 7.0 - Loading ESXi installer
Read More
VMware Security Advisory

VMSA-2020-0009 – VMware vRealize Operations Manager Vulnerability

Updated on 16 May 2020 with fixed versions of vRealize Operations.

VMware has released a new security advisory VMSA-2020-0009: VMware vRealize Operations Manager addresses Authentication Bypass and Directory Traversal vulnerabilities.

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which is used by VMware vRealize Operations Manager. This advisory documents the remediation of one critical and one important issues. The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt and as such presents two vulnerabilities, one authentication bypass and one directory traversal.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-11651 to the authentication bypass vulnerability and CVE-2020-11652 to the directory traversal.

A malicious actor with network access to port 4505 or 4506 on the ARC may take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. For the second vulnerability, a malicious actor with network access to port 4505 or 4506 on the ARC may access the entirety of the ARC filesystem.

Read More
Configure vRealize Orchestrator 8.1

How to Configure vRealize Orchestrator 8.1

In a previous article I documented steps required to install the latest VMware vRealize Orchestrator 8.1. After vRO deployment, you have to go through the initial configuration of the application. In this article I will show you how to configure a standalone vRealize Orchestrator 8.1 with vSphere authentication.

By default the password expiry of the root account of the vRealize Orchestrator Appliance is set to 365 days. If you choose to extend the expiration period, you can do that opening a SSH connection to the vRO appliance and running this command:

passwd -x number_of_days_to_expire root

Configure vRealize Orchestrator - Change Password Expiration Policy

While you are connected to the SSH, you can also run a check for proper DNS resolution, forward and reverse:

nslookup vro_FQDN

nslookup vro_IP_address

Configure vRealize Orchestrator - Check DNS Resolution
Read More