Security Advisory

VMSA-2021-0014 – VMware ESXi Vulnerabilities

VMware has released a new security advisory VMSA-2021-0014: VMware ESXi updates address authentication and denial of service vulnerabilities (CVE-2021-21994, CVE-2021-21995).

Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one important issue (CVSSv3 score 7) and one moderate issue (CVSSv3 score 5.3).

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2021-21994 to the ESXi SFCB improper authentication vulnerability and CVE-2021-21995 to the ESXi OpenSLP denial-of-service vulnerability.

VMSA-2021-0014 – Description and Workarounds

A malicious actor with network access to port 5989 on ESXi may exploit the SFCB improper authentication vulnerability to bypass SFCB authentication by sending a specially crafted request. SFCB service is disabled by default. The service starts when you install a third-party CIM VIB, for example, when you run the esxcli software vib install -n VIBname command. You can check status and disable SFCB service using:

Read More
Performance

12 Performance Tips for Your Virtual Machine

I spent my fair amount of years in IT operations, staying around enterprise VMware infrastructure for about a decade. During this period, I worked with development environments (with crazy stuff like developers running Visual Studio, Jenkins CI/CD pipelines, and automation testing clusters on top of Citrix XenApp farms on top of vSphere). I also worked with production infrastructures ranging from usual CRM and ERP applications to performance-hungry financial and real-time telco-grade applications.

Irrespective of the environment, there was always that user complaining about the slowness of a particular VM. It was not a general performance issue, but specific to one VM. And you know what? Sometimes the user was right and the performance of the VM was subpar. The easiest “solution” would be to add more resources and this was at many times the path supported by the user. “I don’t have enough processing power, give me 4 more virtual CPUs”. Sometimes it is the proper solution. But often these are just resources going out of the door. In fact, all you need to recover the performance is to tune your virtual machine configuration.

In this article, I want to highlight 12 areas worth checking at the virtual machine configuration. If nothing works, then you can look into changes that get easily translated into real money. I will not touch any configuration at a level above the VM and nothing at the operating system level.

Read More
Install vSphere 7.0

How to Install VMware vSphere 7.0

In this article I will show you how to install VMware vSphere 7.0. If you are looking for instructions about how to install the older version vSphere 6.7, you can find them here.

To begin with, you need an installation iso for vSphere 7.0, which you can download from your My.VMware account. I downloaded VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso (vSphere 7.0 build 15843807). I will install vSphere into a virtual machine (don’t do this in production, this is a configuration unsupported by VMware, but often seen in home labs), so I will just mount the iso file into the CD drive and power on the VM.

Install VMware vSphere 7.0

As soon as the VM boots, you will see a “Loading ESXi installer” screen:

Install vSphere 7.0 - Loading ESXi installer
Read More
Install vSphere 6.7

How to Install VMware vSphere 6.7

In this article I will show you how to install VMware vSphere 6.7. If you are looking for instructions about how to install vSphere 6.5, you can find them here.

To start, you need an installation iso for vSphere 6.7, which you can download from your My.VMware account. From here, I downloaded VMware-VMvisor-Installer-6.7.0-8169922.x86_64.iso (vSphere 6.7 build 8169922). I will install vSphere into a virtual machine (beware, this is a configuration unsupported by VMware, but often seen in home labs), so I will just mount the iso file into the CD drive and power on the VM.

Install VMware vSphere 6.7

As soon as the VM boots, you will see a “Loading ESXi installer screen”:

Install vSphere 6.7 - Loading ESXi installer

Read More

VMware Released ESXi Patches for Spectre

VMware released patches against Spectre-2 vulnerability. In order to protect against branch target injection vulnerability (also known as Spectre-2), you need to patch the full stack, ranging from vCenter, down to ESXi and the operating system. Don’t forget to also update the firmware for your hardware.

For vCenter, VMware released few days ago the corresponding patches:

Going down to ESXi level, VMware released these patches:

  • ESXi 6.5 – ESXi650-201803401-BG and ESXi650-201803402-BG
  • ESXi 6.0 – ESXi600-201803401-BG and ESXi600-201803402-BG
  • ESXi 5.5 – ESXi550-201803401-BG and ESXi550-201803402-BG

In this article I will focus on ESXi 6.5 patches.

ESXi650-201803401-BG updates the esx-base, esx-tboot, vsan and vsanhealth VIBs. ESXi650-201803402-BG updates the cpu-microcode VIB. Both patches provide parts of the hypervisor-assisted guest mitigation of CVE-2017-5715 for guest operating systems (as described in VMware Security Advisory VMSA-2018-0004.3).

Read More

vSphere HTML5 Web Client Fling v3.33

New Release – vSphere HTML5 Web Client Fling v3.33

What a release schedule! The team behind vSphere HTML5 Web Client Fling is doing a beautiful job here, one release every other week. I previously blogged about v3.32 of the plugin and the vApp goodies it brought. Here we are in front of a new release, v3.33, with another great set of vApp and VM improvements.

If you don’t use yet the vSphere HTML5 Web Client Fling, you can find here the installation details.

The update process is as easy as described in the How to Update vSphere HTML5 Web Client Fling article. You just hit “Update vSphere Client” button in the management console and the update starts right away:

vSphere HTML5 Web Client Fling - Update
vSphere HTML5 Web Client Fling – Update

After the process is completed and you re-login to the web client, you will see the new version confirmation:

vSphere HTML5 Web Client Fling - Version v3.33
vSphere HTML5 Web Client Fling – Version v3.33

Read More

vSphere HTML5 Web Client Fling v3.32

New Release – vSphere HTML5 Web Client Fling v3.32

You may already know I’m a big fan of vSphere HTML5 Web Client Fling, so you should be not surprised that I follow closely the development of this fling. Last few days like everybody else in the tech world I was busy with Meltdown and Spectre vulnerabilities, but I still managed to notice that the development team released a new version: vSphere HTML5 Web Client Fling v3.32.

If you still don’t use the fling (why wouldn’t you?), see the article How to Install vSphere HTML5 Web Client Fling. If you just need to update it, see How to Update vSphere HTML5 Web Client Fling.

Update 22 January 2018: Development Team does a great job on updating the fling, so here it is the new v3.33 version of vSphere HTML5 Web Client Fling.

So, let’s see, what’s new in vSphere HTML5 Web Client Fling?

Read More

Update vSphere HTML5 Web Client Fling - Dashboard

How to Update vSphere HTML5 Web Client Fling

In an earlier post I showed how to install vSphere HTML5 Web Client Fling. The biggest difference between fling version and the vCenter 6.5 supported version is that the fling gets updated more often. In this post I will show how easy it is to update vSphere HTML5 Web Client Fling.

I will start from the base version 3.27.0 build 7055108. My target is to update the fling to version 3.29.0 build 7157335. Even if only 2 weeks passed since 3.27.0 release, there are few new features available:

  • Configure advanced CPU Identification Mask
  • Select PVRDMA adapter type for a VM network
  • Configure traffic filtering and marking rules on distributed port groups
  • Export and import distributed switches and distributed port groups

See the full change log in the official fling repository.

Read More

vSphere HTML5 Web Client Fling

How to Install vSphere HTML5 Web Client Fling

vSphere HTML5 Web Client Fling - Download
Download vSphere HTML5 Web Client Fling

VMware agrees that Flash is not the solution for the long-term. Our long-term direction is to utilize HTML5. In vSphere 6.5, we have released a supported version of an HTML5 based web client which we call “vSphere Client”. What’s New in vSphere 6.5: vCenter management clients

This vSphere HTML5 Web Client evolved from an application initially published as a Fling (“Flings are apps and tools built by our engineers and community that are intended to be played with and explored”). The Web Client made available in vCenter is a fully supported version of the fling. However, VMware updates the fling version of the client more often. Even if the fling version is not supported, it’s still good to play with what will eventually graduate to a supported version.

In this article I will guide you through the initial configuration of vSphere HTML5 Web Client Fling. We will install the fling in parallel with the existing vCenter Server and will make no permanent changes at vCenter level. If you want to update an already existing installation of the fling, check this article: How to Update vSphere HTML5 Web Client Fling.

I will demonstrate how to install vSphere HTML5 Web Client Fling on top of vCenter Server Appliance 6.5 with an embedded PSC.

I will start the process with the download of the OVA file. Go to the VMware Fling repository and download the latest version available (in my case v3.27 – Build 7055108, released on 4th November 2017). Check “I have read…” checkbox and choose the OVA file from the drop down list (in my case h5ngcVA-3.27.0.0-7055108_OVF10.ova). You can then click on “Download” button and wait for the archive to be downloaded.

Read More

How to Update ESXi 6.5 with Update Manager

In this article I will demonstrate how to easily update ESXi 6.5 using Update Manager.

In this demonstration I will use vCenter Update Manager, so I must have the proper vCenter version already installed. As a rule of thumb, you always need to update vCenter Server before ESXi (vSphere). Update process for VMware solutions can be tricky, so for specific order update for VMware products I suggest you to check KB2147289.

Note: If you look for VCSA update instructions, check this article: How to Update vCenter Server Appliance to 6.5 Update 1b.

Check vCenter and ESXi versions

I will connect to my vCenter Server using vSphere Web Client and I will check the vCenter version. As you can see below, I am running vCenter version 6.5.0, build 6816762, which is the latest version at the moment I am writing this article.

Update ESXi - Check vCenter Version

Next, I will check ESXi version. I navigate in the left panel to the ESXi server I plan to update (esx1.lab.local). In the right panel, I can see the installed product: VMware ESXi 6.5.0 build 5310536.

Update ESXi - Check ESXi Version

I will use now my.vmware.com site.to find the latest version for ESXi 6.5. As you can see below, latest build is 6765664. Take note of the Bulletin Number, we will use it later: ESXi650-201710401-BG.

Update ESXi - MyVMware

Read More