Security Advisory

VMSA-2021-0014 – VMware ESXi Vulnerabilities

VMware has released a new security advisory VMSA-2021-0014: VMware ESXi updates address authentication and denial of service vulnerabilities (CVE-2021-21994, CVE-2021-21995).

Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one important issue (CVSSv3 score 7) and one moderate issue (CVSSv3 score 5.3).

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2021-21994 to the ESXi SFCB improper authentication vulnerability and CVE-2021-21995 to the ESXi OpenSLP denial-of-service vulnerability.

VMSA-2021-0014 – Description and Workarounds

A malicious actor with network access to port 5989 on ESXi may exploit the SFCB improper authentication vulnerability to bypass SFCB authentication by sending a specially crafted request. SFCB service is disabled by default. The service starts when you install a third-party CIM VIB, for example, when you run the esxcli software vib install -n VIBname command. You can check status and disable SFCB service using:

Read More
VMware Security Advisory

VMSA-2021-0004 – vRealize Operations Manager Vulnerabilities

VMware has released a new security advisory VMSA-2021-0004: VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983).

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2021-21975 to the server side request forgery vulnerability in vRealize Operations Manager API and CVE-2021-21983 to the arbitrary file write vulnerability in vRealize Operations Manager API.

A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying Photon operating system.

Read More
VMware Security Advisory

VMSA-2020-0026 – ESXi, Workstation, and Fusion Vulnerabilities

VMware has released a new security advisory VMSA-2020-0026: VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005).

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-4004 to the use-after-free vulnerability in XHCI USB controller and CVE-2020-4005 to the VMX elevation-of-privilege vulnerability.

Read More
Performance

12 Performance Tips for Your Virtual Machine

I spent my fair amount of years in IT operations, staying around enterprise VMware infrastructure for about a decade. During this period, I worked with development environments (with crazy stuff like developers running Visual Studio, Jenkins CI/CD pipelines, and automation testing clusters on top of Citrix XenApp farms on top of vSphere). I also worked with production infrastructures ranging from usual CRM and ERP applications to performance-hungry financial and real-time telco-grade applications.

Irrespective of the environment, there was always that user complaining about the slowness of a particular VM. It was not a general performance issue, but specific to one VM. And you know what? Sometimes the user was right and the performance of the VM was subpar. The easiest “solution” would be to add more resources and this was at many times the path supported by the user. “I don’t have enough processing power, give me 4 more virtual CPUs”. Sometimes it is the proper solution. But often these are just resources going out of the door. In fact, all you need to recover the performance is to tune your virtual machine configuration.

In this article, I want to highlight 12 areas worth checking at the virtual machine configuration. If nothing works, then you can look into changes that get easily translated into real money. I will not touch any configuration at a level above the VM and nothing at the operating system level.

Read More
VMware Security Advisory

VMSA-2020-0023 – VMware ESXi, Workstation, Fusion and NSX-T Vulnerabilities

VMware has released a new security advisory VMSA-2020-0023: VMware ESXi, Workstation, Fusion, NSX-T, and vCenter Server Appliance updates address multiple security vulnerabilities. VMware Cloud Foundation is also an impacted product.

ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

OpenSLP as used in ESXi has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. If you can’t upgrade to the fixed version, as a workaround you can disable CIM server, documented in VMware KB 76372.

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202010401-SG
  • ESXi 6.5 – update to ESXi650-202010401-SG
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to 3.10.1.1
Read More
VMware PowerCLI 12.1.0

VMware PowerCLI 12.1.0

Six months after the previous version of PowerCLI, VMware released the new VMware PowerCLI 12.1.0. I will cover in this article the improvements brought by PowerCLI 12.1.0 and the easy installation process on both Windows and Linux. For full documentation on this version of PowerCLI you can check the code.vmware.com page.

PowerCLI 12.1.0 Changes

New features and updates:

  • New cmdlets have been added to the VMware.VimAutomation.WorkloadManagement module: Get-WMCluster, Set-WMCluster, Enable-WMCluster, Disable-WMCluster.
  • New cmdlets have been added to the VMware.VimAutomation.Core module for managing vSphere Lifecycle Manager: Get-LcmImage, Test-LcmClusterCompliance, Test-LcmClusterHealth.
  • Existing cmdlets from VMware.VimAutomation.Core module have been improved: New-Cluster, Set-Cluster, New-ContentLibraryItem, Set-ContentLibraryItem, New-VM, Set-VM, New-Datastore, New-HardDisk, Get-NetworkAdapter, Get-VirtualNetwork, Set-ScsiLun.
  • New cmdlets have been added to the VMware.VimAutomation.Vmc module for specifying cluster’s EDRS policies: Get-VmcClusterEdrsPolicy, Set-VmcClusterEdrsPolicy.
  • Existing cmdlets from VMware.VimAutomation.Vmc module have been improved: New-VmcSddc, Add-VmcSddcHost, Remove-VmcSddcHost.
  • New cmdlets have been added to the VMware.VimAutomation.Storage module for managing vSAN secure disk wipe: Start-VsanWipeVsanDisk, Get-VsanWipeDiskState, Stop-VsanWipeVsanDisk.
  • New cmdlets have been added to the VMware.VimAutomation.Storage module for managing Cloud Native Storage volumes: Get/New/Set/Remove-CnsVolume, New-CnsContainerCluster, New-CnsKubernetesEntityReference, New-CnsKubernetesEntityMetadata, New-CnsVolumeMetadata, Add-CnsAttachment, Remove-CnsAttachment.
  • New cmdlet has been added to the VMware.VimAutomation.Storage module for managing Virtual Volume (vVol) storage containers: Get-VvolStorageContainer.
  • Existing cmdlets from VMware.VimAutomation.Storage module have been improved: Set-VsanClusterConfiguration, Get-VsanClusterConfiguration, Get-VsanSpaceUsage, Get-VasaStorageArray, Get-VasaProvider.
  • Existing cmdlets from VMware.VimAutomation.Security module have been improved: Get-TrustedClusterAppliedStatus, Set-TrustedCluster, New-TrustAuthorityKeyProvider, Set-TrustAuthorityKeyProvider, Set-TrustAuthorityTpm2AttestationSettings, Add-TrustedClusterAttestationServiceInfo, Add-TrustedClusterKeyProviderServiceInfo, Remove-TrustedClusterKeyProviderServiceInfo, Remove-TrustedClusterAttestationServiceInfo.
  • Added to the supported list in the compatibility matrix: vCenter Server 7.0 U1, vSAN 7.0 U1, vSphere 7.0 U1, Site Recovery Manager 8.3 and 8.3.1, Horizon 7.13
  • Removed from the supported list in the compatibility matrix: vCloud Director for Service Providers 9.5, Site Recovery Manager 6.1.1, vRealize Operations Manager 6.6.1 and 6.7
Read More
VMworld 2020

VMworld 2020 – Which Sessions to Attend?

VMworld 2020 is just around the corner. In this COVID-19 world everything moved online and so does VMworld. Make sure to register to VMworld 2020 and reserve in your calendars the period 29th September to 1st October.

This year, VMware offers two types of access to VMworld:

  • General Pass – includes access to 500+ on-demand VMworld sessions – free of charge
  • Premier Pass – everything General Pass has plus access to roundtables, limited capacity sessions, birds of a feather (informal discussions), hand-on-labs, 1:1 expert consultations  – priced at $299

Few days ago, VMware made available the scheduler, so I will base this article on my selection of VMworld sessions, in no particular order. I have a free General Pass, so I will not touch anything reserved to Premier Pass. 14 sessions spread across 3 days, covering topics as private and public cloud, networking and security, containers, hyper-converged infrastructure, and career.

Read More
vCenter Server 7.0.0b

VMware vCenter Server 7.0.0b

VMware released a new vCenter Server version: 7.0.0b, 7.0.0.10400, build 16386292. In this article I cover the resolved issues and I show how easy is to update from the previous version of vCenter Server 7.0.0 to the latest 7.0.0b.

In case you are looking for an upgrade demonstration from vCenter Server 6.7 to vCenter Server 7.0.0, you can check my other article: How to Upgrade vCenter Server Appliance from 6.7 to 7.0 – Stage 1.

If you want to install vCenter 7.0.0, please check How to Install VMware vSphere 7.0.

vCenter Server 7.0.0b – Resolved Issues

vCenter Server 7.0.0b introduces two new features:

  • It adds a Replication State Change alarm to the vCenter Server Appliance that displays when a replication state changes to READ_ONLY.
  • You can use the Show only rollup updates toggle button to filter and select patches that you want to include in a baseline when using the vSphere Lifecycle Manager.

This release of vCenter Server delivers the following patch:

  • VMware-vCenter-Server-Appliance-7.0.0.10400-16386292-patch-FP.iso
Read More
vCenter Server 7.0.0a

VMware vCenter Server 7.0.0a

VMware released a new vCenter Server version: 7.0.0a, 7.0.0.10300, build 16189094. In this article I cover the resolved issues and I show how easy is to update from the previous version of vCenter Server 7.0.0 to the latest 7.0.0a. I also include few images with the new update notification features from vSphere Client.

In case you are looking for an upgrade demonstration from vCenter Server 6.7 to vCenter Server 7.0.0, you can check my other article: How to Upgrade vCenter Server Appliance from 6.7 to 7.0 – Stage 1.

vCenter Server 7.0.0a – Resolved Issues

This release of vCenter Server 7.0.0a delivers the following patch:

  • Patch for VMware vCenter Server Appliance 7.0.0a (VMware-vCenter-Server-Appliance-7.0.0.10300-16189094-patch-FP.iso)

The patch resolves a vSAN issue: vSphere Lifecycle Manager and vSAN File Services cannot be simultaneously enabled on a vSAN cluster. With vCenter Server 7.0.0a you can enable both vSAN File Services and vSphere Lifecycle Manager at the same time on a cluster.

Upgrade from vCenter Server 6.7 Update 3g to vCenter Server 7.0.0a is not supported. Upgrade is supported though from older versions of vCenter Server 6.7. You can check KB67077 for the upgrade matrix.

Read More
Install vSphere 7.0

How to Install VMware vSphere 7.0

In this article I will show you how to install VMware vSphere 7.0. If you are looking for instructions about how to install the older version vSphere 6.7, you can find them here.

To begin with, you need an installation iso for vSphere 7.0, which you can download from your My.VMware account. I downloaded VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso (vSphere 7.0 build 15843807). I will install vSphere into a virtual machine (don’t do this in production, this is a configuration unsupported by VMware, but often seen in home labs), so I will just mount the iso file into the CD drive and power on the VM.

Install VMware vSphere 7.0

As soon as the VM boots, you will see a “Loading ESXi installer” screen:

Install vSphere 7.0 - Loading ESXi installer
Read More