vToolbelt – January 2022
Happy New Year everyone!
- VMware announced a heap-overflow vulnerability for VMs configured to use an ISO image or host device in the CD-Rom. Read below for details on the issue as well as preventative steps you can take.
- The open source Apache Log4J project has announced a zero day vulnerability with versions 2.14.1 and earlier. Any systems using those affected software components should patch or take preventative action immediately. Read below for more details on how VMware is responding.
- ESX hosts using SD-Cards or USB Media to boot should be aware that support for this is ending. A TAM Customer webinar in early December covered this extensively. If you were unable to attend the webinar live, you can watch the recording.
Product Support Watch
Horizon View / Workspace ONE
- Dynamic Environment Manager 9.9 – 3/17/22
- Dynamic Environment Manager 9.11 – 3/17/22
- App Volumes 4 – 1/14/22
- Horizon 7.10 ESB – 3-17-22
- Identity Manager 3.3.3 – 5/11/22
- Workspace ONE UEM Console 2007 (SaaS Only) – 1/20/22
- Workspace ONE UEM Console 2008 – 3/15/22
- Workspace ONE UEM Console 2010 (SaaS Only) – 4/14/22
- NSX for vSphere (NSX-V) – 1/16/22 – must transition to NSX-T
- Lifecycle Manger 8.3 – 2/4/22 – extended to 10-31-22
- Lifecycle Manger 8.4 – 4/15/22- extended to 10-31-22
- vRealize Orchestrator 8.3 – 2/4/2 – extended to 10-31-22
- vRealize Orchestrator 8.4 – 4/15/22 – extended to 10-31-22
- vRealize Automation 8.3 – 2/4/22 – extended to 10-31-22
- vRealize Automation 8.4 – 4/15/22 – extended to 10-31-22
Notes from the Field
If you are not using VMware Skyline yet, you should check out how the University of Houston uses Skyline to avoid unplanned downtime.
If your vCenter Server 7.0 U3 has issues with the internal vCenter Backup process (DB Health), you should check out KB 86084. It turns out that the database schema may have been updated by a patch without being reported to the consistency checker. While this will be corrected in a future patch, the fix is easy and takes only a few minutes.
CD-ROM heap-overflow vulnerability (VMSA-2022-0001) – On 1/4/22, VMware announced a heap-overflow vulnerability that can affect VMs which have a CD-Rom device configured with either an ISO image or host-based device.
- This vulnerability can be exploited by a malicious actor who has access to a VM in this configuration
- The workaround involves configuring VMs to have the CD-Rom set to Client Device – KB 87249. The KB also has PowerCLI sample code that can be used to identify VMs that are vulnerable as well as changing the VMs to Client Device
- A patch for ESXi is available that fully remediates the issue
VMware’s response to the Apache Log4J vulnerability – On 12/10/21, the Apache Log4J project disclosed a zero-day vulnerability in CVE-2021-44228.
- VMware Security Advisory VMSA-2021-0028 was published to document the impact to VMware Products. This is an on-going event – please check back at this URL for updates as the develop
- This is a critical severity issue and immediate action is recommended.
- You can download a PDF summary of the advisory which includes the steps to remediate VMware products as published as of 12/13/21. Do check back at the URL above for new developments.
Migrating to NSX-T – NSX-V is End of Life and will be out of support on January 16, 2022. If you are running NSX-V you need to migrate to NSX-T. The licenses you have today do work with NSX-T. There are 2 methods to migrate. There is also a whitepaper on migrating from NSX-V to NSX-T.
Updates on booting ESXi hosts SD-cards/USB Sticks – vSphere 7.0 Update 3 has been released which automates the settings to allow ESX hosts to safely use SD-Cards. Refer to the information in the Notes from the Field section below for full details.
vSphere 7.0 Update 2 and USB-based Boot Media (SD Cards/USB Sticks) – If your ESX hosts boot from these devices – you need to read this important information before you upgrade as the boot devices you are using may have issues.
vSphere 7 Update 2 introduces changes to core storage used by the Hypervisor and increases the I/O requirements past the endurance thresholds of some SD cards. This change is described in the vSphere 7.0 Update 2 VMware ESXi Installation and Setup Guide. On page 12 of the guide, it specifies that the ESX-OSData partition “must be created on high-endurance storage devices”.
Currently, information about the internal SD cards can’t be checked on the VMware Compatibility Guide, as hardware manufacturers do not provide that information to VMware. Please be aware that the hardware vendors are responsible for managing and updating their information listed in the compatibility guide. If you have questions about the endurance specifications of your SD Cards – please check with your hardware manufacturer.
KB 83376 – discusses the issues that can arise when the SD card boot device has exhausted its write capability. This KB also describes a work around VMware has developed to allow low endurance SD Cards to work with vSphere 7 Update 2. It involves a manual one-time config change which moves certain highly accessed files to a RAM Disk. This should become automatic in a future release of vSphere 7.x.
While this should help with vSphere 7.x, I am not sure what the future holds for SD Cards as ESX boot devices. If I had to guess, I would imagine that the I/O requirements will increase over time as ESX continues to evolve.
It is advisable to consider adding higher performance/endurance boot devices into a future budget or into your next hardware refresh plan.