vToolbelt – February 2022
- vSphere 7.0 U3c has been released and includes the LOG4J patch. Please review the information below before upgrading. There are a number of changes you should review.
- New Update – LOG4J patches on vCenter 6.5 and 6.7 were released on 2/8/22!
- The open source Apache Log4J project has announced a zero day vulnerability with versions 2.14.1 and earlier. Any systems using those affected software components should patch or take preventative action immediately. Read below for more details on how VMware is responding.
Product Support Watch
Horizon View / Workspace ONE
- Dynamic Environment Manager 9.9 – 3/17/22
- Dynamic Environment Manager 9.11 – 3/17/22
- App Volumes 4 – 7/9/22
- Horizon 7.10 ESB – 3/17/22
- Identity Manager 3.3.3 – 5/11/22
- Workspace ONE UEM Console 2008 – 3/15/22
- Workspace ONE UEM Console 2010 (SaaS Only) – 4/14/22
Notes from the Field
NSX-T 3.2 was initially a greenfield-only release. NSX-T 126.96.36.199 has new capabilities that will enable you to upgrade. This new version has an Upgrade Evaluation tool you will want to read about.
vSphere 7.0 U3c has been released
As many of you know several versions of ESXi 7.0 were pulled from VMware download repositories on November 18th 2021. These include:
- ESXi 7.0U3, U3a, and U3b were removed
- vCenter version U3b was also removed from all repositories
- For additional details on this topic, please see KB86398
In replacement of these releases, on January 27th at 7:30pm PST VMware released vSphere 7.0 U3c. Among other updates, two major components included in this release are:
- Remediation for the Apache log4j vulnerabilities – updates log4j modules to version 2.17
- Final Resolution for the vSphere 7.0 Update 3 critical issues documented in KB86281
There are some important changes to the upgrade process for vSphere 7.0U3c. The release notes cover this in detail. The highlights:
- Customers should run a “standalone” pre-check validation script, in advance, detailed in KB87258 to determine which hosts will be impacted. This could be run prior to the vCenter Server upgrade to know the risk and remediate before scheduling vCenter Server upgrade window.
- Upgrading to vCenter Server 7.0U3c now requires an additional pre-check to evaluate every ESXi host in the vCenter inventory for any that have a known driver conflict that needs to be remediated before the vCenter Server upgrade will complete. This precheck runs early in the upgrade process. If the pre-check fails, host remediation will be required prior to restarting the vCenter Server upgrade. Please see KB86447 for full details on the two ESXi host remediation options. You can upgrade ESXi hosts that you manage with either baselines or a single image, by using the ESXi ISO image with an upgrade baseline or a base image of 7.0 Update 3c respectively. Do not use patch baselines based on the rollup bulletin.
- The upgrade pre-check may fail if the ESXi 7.0 U2c/U2d hosts exist in a vSphere Lifecycle Manager (vLCM) image-enabled cluster.
- Note: 7.0 Update 2 or any earlier version are not subject to this driver conflict. The upgrade should commence as normal. The upgrade order remains the same (vCenter Server first, followed by ESXi hosts).
VMware’s response to the Apache Log4J vulnerability – On 12/10/21, the Apache Log4J project disclosed a zero-day vulnerability in CVE-2021-44228.
- VMware Security Advisory VMSA-2021-0028 was published to document the impact to VMware Products. This is an on-going event – please check back at this URL for updates as the develop
- Many VMware products have been patched. vCenter 6.5 and 6.7 patches should be available soon.
- If you operate VMware Horizon – please review the additional guidance on VMware Horizon on LOG4J from the VMware Security Engineering team.
Booting ESXi hosts from SD-Cards
KB 83376 – discusses the issues that can arise when the SD card boot device has exhausted its write capability. This KB also describes a work around VMware has developed to allow low endurance SD Cards to work with vSphere 7 Update 2. It involves a manual one-time config change which moves certain highly accessed files to a RAM Disk. vSphere 7.0 U3 automated this process.
While this should help with vSphere 7.x, I am not sure what the future holds for SD Cards as ESX boot devices. If I had to guess, I would imagine that the I/O requirements will increase over time as ESX continues to evolve.
It is advisable to consider adding higher performance/endurance boot devices into a future budget or into your next hardware refresh plan.