New Security Patch – vCenter Server 6.5 U1f

VMware released today a new security patch, vCenter Server 6.5 U1f, build number 7801515. This release patches the vCSA operating system (Photon OS) mainly against two vulnerabilities: bounds-check bypass (Spectre-1, CVE-2017-5753) and rogue data cache load issues (Meltdown, CVE-2017-5754). As of now, there is still no patch for branch target injection vulnerability (Spectre-2, CVE-2017-5715).

The new patch can already be downloaded from My VMware portal (VMware-VCSA-all-6.5.0-7801515.iso, 3607.6 MB), but it’s not yet available on the online repository for update using management GUI or CLI. Update 16 February 2018: the patch is available on the online repository, see below for details.

Updated packages:

  • linux 4.4.110-2
  • libgcrypt 1.7.6-3
  • c-ares 1.12.0-2
  • ncurses 6.0-8
  • libtasn1 4.12-1
  • wget 1.18-3
  • procmail 3.22-4
  • rsync 3.1.2-4
  • apr 1.5.2-7

Read More

VMSA-2018-0003

VMware Security Advisory – VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console

VMware has released a new security advisory: VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities.

This advisory documents the remediation of two issues: one critical (deserialization vulnerability which may allow code execution in vRealize Automation and vSphere Integrated Containers) and one important (a cross site request forgery vulnerability when accessing the App Catalog in AirWatch Console).

Read More

Install vRealize Suite Lifecycle Manager

How to Install vRealize Suite Lifecycle Manager 1.1

vRealize Suite Lifecycle Manager is a relatively new tool in VMware’s portfolio. You can use it to install, configure and upgrade vRealize environments consisting in vRealize Automation, vRealize Business for Cloud, vRealize Log Insight and vRealize Operations. In this article I will show how to install vRealize Suite Lifecycle Manager 1.1.

You will need access to both a vCenter Server and an ESXi host 6.0 or 6.5. For running the virtual machine you will have to allocate minimum 2 vCPU and 16GB of RAM. The smallest used disk is around 3GB, and it can grow up to 135GB.

You can download vRealize Suite Lifecycle Manager 1.1 from My.VMware portal (you need to use your credentials to authenticate). You will end up with a 1.7GB OVA file (VMware-vLCM-Appliance-1.1.0.7-7359844_OVF10.ova), released on 12 December 2017.

Install vRealize Suite Lifecycle Manager - My VMware
Install vRealize Suite Lifecycle Manager – My VMware

Read More

vSphere HTML5 Web Client Fling v3.33

New Release – vSphere HTML5 Web Client Fling v3.33

What a release schedule! The team behind vSphere HTML5 Web Client Fling is doing a beautiful job here, one release every other week. I previously blogged about v3.32 of the plugin and the vApp goodies it brought. Here we are in front of a new release, v3.33, with another great set of vApp and VM improvements.

If you don’t use yet the vSphere HTML5 Web Client Fling, you can find here the installation details.

The update process is as easy as described in the How to Update vSphere HTML5 Web Client Fling article. You just hit “Update vSphere Client” button in the management console and the update starts right away:

vSphere HTML5 Web Client Fling - Update
vSphere HTML5 Web Client Fling – Update

After the process is completed and you re-login to the web client, you will see the new version confirmation:

vSphere HTML5 Web Client Fling - Version v3.33
vSphere HTML5 Web Client Fling – Version v3.33

Read More

VMware Carpool Tech Talk - Joe Baguley

VMware Carpool Tech Talk

In a fashion similar with James Corden’s Carpool Karaoke, VMware EMEA released over the last six months a series of short videos: VMware Carpool Tech Talk. For each episode of the series, two VMware influencers share a car and have a short tech talk. It’s a different format, relaxed, fun to follow, and without the exposure it deserves. Without further due, here we go!

VMware Carpool Tech Talk – Rory Choudhuri and Andrew Hald – Hands-on Labs

Rory Choudhuri (Solutions Marketing Director at VMware) talks with Andrew Hald (Principal Architect and Senior Manager) about how VMware Hand-on Labs add value to the products and the customers. How they deliver 150,000 VMs a week, what’s next and what’s in it for you?

Read More

VMware Security Advisory

VMware Security Advisory – VMSA-2018-0005 – Workstation and Fusion Updates

VMware has released a new security advisory: VMSA-2018-0005 – VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities.

This advisory documents the remediation of two issues: one critical (use-after-free vulnerability in VMware NAT service when IPv6 mode is enabled) and one important (an integer overflow vulnerability in VMware NAT service when IPv6 mode is enabled).

Read More

VMware Patches for Spectre

VMware Patches for Spectre

After releasing the initial security advisory VMSA-2018-0002 to discuss Meltdown and Spectre vulnerabilities, VMware released yesterday the second advisory on the matter – VMSA-2018-0004 – VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue.

VMSA-2018-0004 – Hypervisor-Assisted Guest Remediation

Updates of vCenter Server, ESXi, Workstation and Fusion virtualize the new speculative-execution control mechanism for virtual machines. As a result, a patched guest operating system can remediate the Branch Target Injection issue (CVE identifier CVE-2017-5715). This issue may allow for information disclosure between processes within the VM.

Affected VMware products:

  • vCenter Server 5.5, 6.0, 6.5
  • ESXi 5.5, 6.0, 6.5
  • Workstation 12.x (patch planned; update to 12.5.9), 14.x (update to 14.1.1)
  • Fusion 8.x (update to 8.5.10), 10.x (update to 10.1.1)

Read More

VMware Security Advisory - VMSA-2018-0001 - vSphere Data Protection

VMware Security Advisory – VMSA-2018-0001 – vSphere Data Protection

I know you are all busy patching Meltdown and Spectre, but let’s not forget about a security advisory that VMware released so early this year, on 2nd January 2018: VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.

This advisory documents the remediation of three important issues: a VDP authentication bypass vulnerability, VDP arbitrary file upload vulnerability, and a VDP path traversal vulnerability.

Same day, VMware released a new vSphere Data Protection version, 6.1.6, which among other goodies fixes all the vulnerabilities from the current advisory.

Read More

vSphere HTML5 Web Client Fling v3.32

New Release – vSphere HTML5 Web Client Fling v3.32

You may already know I’m a big fan of vSphere HTML5 Web Client Fling, so you should be not surprised that I follow closely the development of this fling. Last few days like everybody else in the tech world I was busy with Meltdown and Spectre vulnerabilities, but I still managed to notice that the development team released a new version: vSphere HTML5 Web Client Fling v3.32.

If you still don’t use the fling (why wouldn’t you?), see the article How to Install vSphere HTML5 Web Client Fling. If you just need to update it, see How to Update vSphere HTML5 Web Client Fling.

Update 22 January 2018: Development Team does a great job on updating the fling, so here it is the new v3.33 version of vSphere HTML5 Web Client Fling.

So, let’s see, what’s new in vSphere HTML5 Web Client Fling?

Read More

VMSA-2018-0003

VMware Security Advisory VMSA-2018-0003

VMware has released a new security advisory: VMSA-2018-0003 – vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities.

This advisory documents the remediation of three important issues: a privilege escalation vulnerability that affects vRealize Operations for Horizon (V4H) and vRealize Operations for Published Applications (V4PA) agents, an out-of-bounds read issue that occurs via Cortado ThinPrint and affects Workstation and Horizon View Client, and a guest access control vulnerability which affects Workstation and Fusion.

Read More