vToolbelt – March 2022
Welcome to March everyone! For those of us in the mid-western US, this is the moment we start looking forward to nice weather! It’s also a time when all VMware products have LOG4J patchesavailable. VMworld’s call for papers will be coming soon and there is generally a need and a feeling for a fresh start!
- LOG4J – All VMware products affected have patches available. Review the information below for details.
Product Support Watch
Horizon View / Workspace ONE
- Dynamic Environment Manager 9.9 – 3/17/22
- Dynamic Environment Manager 9.11 – 3/17/22
- Dynamic Environment Manager 10/2006 – 8/11/22
- App Volumes 4 – 7/9/22
- Horizon 7.10 ESB – 3/17/22
- Identity Manager 3.3.3 – 5/11/22
- Identity Manager 3.3.4 – 8/4/22
- Workspace ONE UEM Console 2008 – 3/15/22
- Workspace ONE UEM Console 2010 (SaaS Only) – 4/14/22
- Workspace ONE UEM Console 2011 – 7/15/22
- Workspace ONE Access 20.10 – 5/2/22
- vRealize Automation 7.6 – 9/1/22
- vRealize Operations 8.1.1 – 7/9/22
Notes from the Field
The VMware Communities forum has been redesigned to provide a better experience- check it out today at communities.vmware.com.
New version of RVTools is available – If you have never used this free tool, you should check it out. It can be used to gather a quick inventory of your environment with some very good detail. It also provides a quick health check tab that calls out information about long running snapshots, VMs that were removed from inventory but not from disk. The 20 minutes it would take for you to use this tool (from download to run to review) could save you quite a bit of time and help tidy up your environment.
If you haven’t mitigated your VMware Horizon environment for LOG4J yet – check out this TAM Lab Video which covers remediating your Horizon environment against LOG4J.
- Check out this review of the vRealize Operations Architecture from vBrownBag
- There are a few new VMware Flings on VMware Horizon to check out. You might like to monitor your UAG with better detail, or have better troubleshooting for Horizon at your finger tips
- Would you like to use PowerCLI to get information from Horizon View but don’t know where to start? Check out these script samples
- If you have an internal Certificate Authority, you can replace the self-signed certificates in vSphere
- If you are curious about DevOps but aren’t sure what the fuss is about, check out this DevOps101 talk with Emily Freeman (@EditingEmily)
- ESXi 7.0U3, U3a, and U3b were removed
- vCenter version U3b was also removed from all repositories
- For additional details on this topic, please see KB86398
In replacement of these releases, on January 27th at 7:30pm PST VMware released vSphere 7.0 U3c. Among other updates, two major components included in this release are:
- Remediation for the Apache log4j vulnerabilities – updates log4j modules to version 2.17
- Final Resolution for the vSphere 7.0 Update 3 critical issues documented in KB86281
There are some important changes to the upgrade process for vSphere 7.0U3c. The release notes cover this in detail. The highlights:
- Customers should run a “standalone” pre-check validation script, in advance, detailed in KB87258 to determine which hosts will be impacted. This could be run prior to the vCenter Server upgrade to know the risk and remediate before scheduling vCenter Server upgrade window.
- Upgrading to vCenter Server 7.0U3c now requires an additional pre-check to evaluate every ESXi host in the vCenter inventory for any that have a known driver conflict that needs to be remediated before the vCenter Server upgrade will complete. This precheck runs early in the upgrade process. If the pre-check fails, host remediation will be required prior to restarting the vCenter Server upgrade. Please see KB86447 for full details on the two ESXi host remediation options. You can upgrade ESXi hosts that you manage with either baselines or a single image, by using the ESXi ISO image with an upgrade baseline or a base image of 7.0 Update 3c respectively. Do not use patch baselines based on the rollup bulletin.
- The upgrade pre-check may fail if the ESXi 7.0 U2c/U2d hosts exist in a vSphere Lifecycle Manager (vLCM) image-enabled cluster.
- Note: 7.0 Update 2 or any earlier version are not subject to this driver conflict. The upgrade should commence as normal. The upgrade order remains the same (vCenter Server first, followed by ESXi hosts).
VMware’s response to the Apache Log4J vulnerability – On 12/10/21, the Apache Log4J project disclosed a zero-day vulnerability in CVE-2021-44228.
- VMware Security Advisory VMSA-2021-0028 was published to document the impact to VMware Products. This is an on-going event – please check back at this URL for updates as the develop
- All VMware products have been patched. The security advisory link above contains information on the patched versions
- If you operate VMware Horizon – please review the additional guidance on VMware Horizon on LOG4J from the VMware Security Engineering team.
Booting ESX hosts from SD-Cards
A TAM Customer webinar in December 2021 covered this extensively. If you were unable to attend the webinar live, you can watch the recording.
KB 83376 – discusses the issues that can arise when the SD card boot device has exhausted its write capability. This KB also describes a work around VMware has developed to allow low endurance SD Cards to work with vSphere 7 Update 2. It involves a manual one-time config change which moves certain highly accessed files to a RAM Disk. vSphere 7.0 U3 automated this process.
While this should help with vSphere 7.x, I am not sure what the future holds for SD Cards as ESX boot devices. If I had to guess, I would imagine that the I/O requirements will increase over time as ESX continues to evolve.
It is advisable to consider adding higher performance/endurance boot devices into a future budget or into your next hardware refresh plan.