VMware Security Advisory

VMSA-2020-0023 – VMware ESXi, Workstation, Fusion and NSX-T Vulnerabilities

VMware has released a new security advisory VMSA-2020-0023: VMware ESXi, Workstation, Fusion, NSX-T, and vCenter Server Appliance updates address multiple security vulnerabilities. VMware Cloud Foundation is also an impacted product.

ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

OpenSLP as used in ESXi has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. If you can’t upgrade to the fixed version, as a workaround you can disable CIM server, documented in VMware KB 76372.

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202010401-SG
  • ESXi 6.5 – update to ESXi650-202010401-SG
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to
Read More
VMware PowerCLI 12.1.0

VMware PowerCLI 12.1.0

Six months after the previous version of PowerCLI, VMware released the new VMware PowerCLI 12.1.0. I will cover in this article the improvements brought by PowerCLI 12.1.0 and the easy installation process on both Windows and Linux. For full documentation on this version of PowerCLI you can check the code.vmware.com page.

PowerCLI 12.1.0 Changes

New features and updates:

  • New cmdlets have been added to the VMware.VimAutomation.WorkloadManagement module: Get-WMCluster, Set-WMCluster, Enable-WMCluster, Disable-WMCluster.
  • New cmdlets have been added to the VMware.VimAutomation.Core module for managing vSphere Lifecycle Manager: Get-LcmImage, Test-LcmClusterCompliance, Test-LcmClusterHealth.
  • Existing cmdlets from VMware.VimAutomation.Core module have been improved: New-Cluster, Set-Cluster, New-ContentLibraryItem, Set-ContentLibraryItem, New-VM, Set-VM, New-Datastore, New-HardDisk, Get-NetworkAdapter, Get-VirtualNetwork, Set-ScsiLun.
  • New cmdlets have been added to the VMware.VimAutomation.Vmc module for specifying cluster’s EDRS policies: Get-VmcClusterEdrsPolicy, Set-VmcClusterEdrsPolicy.
  • Existing cmdlets from VMware.VimAutomation.Vmc module have been improved: New-VmcSddc, Add-VmcSddcHost, Remove-VmcSddcHost.
  • New cmdlets have been added to the VMware.VimAutomation.Storage module for managing vSAN secure disk wipe: Start-VsanWipeVsanDisk, Get-VsanWipeDiskState, Stop-VsanWipeVsanDisk.
  • New cmdlets have been added to the VMware.VimAutomation.Storage module for managing Cloud Native Storage volumes: Get/New/Set/Remove-CnsVolume, New-CnsContainerCluster, New-CnsKubernetesEntityReference, New-CnsKubernetesEntityMetadata, New-CnsVolumeMetadata, Add-CnsAttachment, Remove-CnsAttachment.
  • New cmdlet has been added to the VMware.VimAutomation.Storage module for managing Virtual Volume (vVol) storage containers: Get-VvolStorageContainer.
  • Existing cmdlets from VMware.VimAutomation.Storage module have been improved: Set-VsanClusterConfiguration, Get-VsanClusterConfiguration, Get-VsanSpaceUsage, Get-VasaStorageArray, Get-VasaProvider.
  • Existing cmdlets from VMware.VimAutomation.Security module have been improved: Get-TrustedClusterAppliedStatus, Set-TrustedCluster, New-TrustAuthorityKeyProvider, Set-TrustAuthorityKeyProvider, Set-TrustAuthorityTpm2AttestationSettings, Add-TrustedClusterAttestationServiceInfo, Add-TrustedClusterKeyProviderServiceInfo, Remove-TrustedClusterKeyProviderServiceInfo, Remove-TrustedClusterAttestationServiceInfo.
  • Added to the supported list in the compatibility matrix: vCenter Server 7.0 U1, vSAN 7.0 U1, vSphere 7.0 U1, Site Recovery Manager 8.3 and 8.3.1, Horizon 7.13
  • Removed from the supported list in the compatibility matrix: vCloud Director for Service Providers 9.5, Site Recovery Manager 6.1.1, vRealize Operations Manager 6.6.1 and 6.7
Read More
VMworld 2020

VMworld 2020 – Which Sessions to Attend?

VMworld 2020 is just around the corner. In this COVID-19 world everything moved online and so does VMworld. Make sure to register to VMworld 2020 and reserve in your calendars the period 29th September to 1st October.

This year, VMware offers two types of access to VMworld:

  • General Pass – includes access to 500+ on-demand VMworld sessions – free of charge
  • Premier Pass – everything General Pass has plus access to roundtables, limited capacity sessions, birds of a feather (informal discussions), hand-on-labs, 1:1 expert consultations  – priced at $299

Few days ago, VMware made available the scheduler, so I will base this article on my selection of VMworld sessions, in no particular order. I have a free General Pass, so I will not touch anything reserved to Premier Pass. 14 sessions spread across 3 days, covering topics as private and public cloud, networking and security, containers, hyper-converged infrastructure, and career.

Read More
vCenter Server 7.0.0b

VMware vCenter Server 7.0.0b

VMware released a new vCenter Server version: 7.0.0b,, build 16386292. In this article I cover the resolved issues and I show how easy is to update from the previous version of vCenter Server 7.0.0 to the latest 7.0.0b.

In case you are looking for an upgrade demonstration from vCenter Server 6.7 to vCenter Server 7.0.0, you can check my other article: How to Upgrade vCenter Server Appliance from 6.7 to 7.0 – Stage 1.

If you want to install vCenter 7.0.0, please check How to Install VMware vSphere 7.0.

vCenter Server 7.0.0b – Resolved Issues

vCenter Server 7.0.0b introduces two new features:

  • It adds a Replication State Change alarm to the vCenter Server Appliance that displays when a replication state changes to READ_ONLY.
  • You can use the Show only rollup updates toggle button to filter and select patches that you want to include in a baseline when using the vSphere Lifecycle Manager.

This release of vCenter Server delivers the following patch:

  • VMware-vCenter-Server-Appliance-
Read More
vCenter Server 7.0.0a

VMware vCenter Server 7.0.0a

VMware released a new vCenter Server version: 7.0.0a,, build 16189094. In this article I cover the resolved issues and I show how easy is to update from the previous version of vCenter Server 7.0.0 to the latest 7.0.0a. I also include few images with the new update notification features from vSphere Client.

In case you are looking for an upgrade demonstration from vCenter Server 6.7 to vCenter Server 7.0.0, you can check my other article: How to Upgrade vCenter Server Appliance from 6.7 to 7.0 – Stage 1.

vCenter Server 7.0.0a – Resolved Issues

This release of vCenter Server 7.0.0a delivers the following patch:

  • Patch for VMware vCenter Server Appliance 7.0.0a (VMware-vCenter-Server-Appliance-

The patch resolves a vSAN issue: vSphere Lifecycle Manager and vSAN File Services cannot be simultaneously enabled on a vSAN cluster. With vCenter Server 7.0.0a you can enable both vSAN File Services and vSphere Lifecycle Manager at the same time on a cluster.

Upgrade from vCenter Server 6.7 Update 3g to vCenter Server 7.0.0a is not supported. Upgrade is supported though from older versions of vCenter Server 6.7. You can check KB67077 for the upgrade matrix.

Read More
Install vSphere 7.0

How to Install VMware vSphere 7.0

In this article I will show you how to install VMware vSphere 7.0. If you are looking for instructions about how to install the older version vSphere 6.7, you can find them here.

To begin with, you need an installation iso for vSphere 7.0, which you can download from your My.VMware account. I downloaded VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso (vSphere 7.0 build 15843807). I will install vSphere into a virtual machine (don’t do this in production, this is a configuration unsupported by VMware, but often seen in home labs), so I will just mount the iso file into the CD drive and power on the VM.

Install VMware vSphere 7.0

As soon as the VM boots, you will see a “Loading ESXi installer” screen:

Install vSphere 7.0 - Loading ESXi installer
Read More
VMware Security Advisory

VMSA-2020-0009 – VMware vRealize Operations Manager Vulnerability

Updated on 16 May 2020 with fixed versions of vRealize Operations.

VMware has released a new security advisory VMSA-2020-0009: VMware vRealize Operations Manager addresses Authentication Bypass and Directory Traversal vulnerabilities.

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which is used by VMware vRealize Operations Manager. This advisory documents the remediation of one critical and one important issues. The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt and as such presents two vulnerabilities, one authentication bypass and one directory traversal.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-11651 to the authentication bypass vulnerability and CVE-2020-11652 to the directory traversal.

A malicious actor with network access to port 4505 or 4506 on the ARC may take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. For the second vulnerability, a malicious actor with network access to port 4505 or 4506 on the ARC may access the entirety of the ARC filesystem.

Read More
Configure vRealize Orchestrator 8.1

How to Configure vRealize Orchestrator 8.1

In a previous article I documented steps required to install the latest VMware vRealize Orchestrator 8.1. After vRO deployment, you have to go through the initial configuration of the application. In this article I will show you how to configure a standalone vRealize Orchestrator 8.1 with vSphere authentication.

By default the password expiry of the root account of the vRealize Orchestrator Appliance is set to 365 days. If you choose to extend the expiration period, you can do that opening a SSH connection to the vRO appliance and running this command:

passwd -x number_of_days_to_expire root

Configure vRealize Orchestrator - Change Password Expiration Policy

While you are connected to the SSH, you can also run a check for proper DNS resolution, forward and reverse:

nslookup vro_FQDN

nslookup vro_IP_address

Configure vRealize Orchestrator - Check DNS Resolution
Read More
vRealize Orchestrator 8.1

How to Install VMware vRealize Orchestrator 8.1

In this article I will demonstrate how to install VMware vRealize Orchestrator 8.1 step by step. This is the latest vRO version to date, released only days ago. You can read more details about the changes in vRO 8.1 in one of my previous articles: VMware vRealize Orchestrator 8.1.

First step is to download the required OVA file: O11N_VA- Make sure DNS resolution for your future vRO appliance works, both forward and reverse (hostname and IP address). You can then proceed to deploy the appliance from your vCenter Server (minimum vCenter Server version is 6.0, although that is already an unsupported version by VMware, and I hope you are at least on version 6.5, if not on 7.0).

Read More
vRealize Orchestrator 8.1

VMware vRealize Orchestrator 8.1

Few days ago, VMware released the latest version of their orchestration application, vRealize Orchestrator 8.1 (O11N_VA-, build version 15995344).

A little bit of my history with vRO: after playing with versions 5 to early 7 for few years, I took a pause in using Orchestrator. At the beginning of this year, I accepted the challenge to co-run a VMUG presentation on Orchestrator and I tried one of the first version 8 releases. I have to admit I missed few things from my old vRO days. Among them, the new HTML client felt a little strange with the biggest changes being the missing tree view or the removal of visual binding. I think VMware is on a good track now with this product, and 8.1 looks promising 🙂

Read More