VMSA-2022-0007 – VMware Tools vulnerability

VMware have published a new security advisory relating to VMware Tools for Windows. It affects v10 and 11 of the Tools. The vulnerability allows a user with local admin rights in the guest OS to acquire system privileges.

The version with the fix for this vulnerability is 12.0.0. While this is a major version jump, from the release notes there doesn’t appear to be any major breaking changes. It still supports Windows as far back as 7 SP1/2008 R2 SP1.

PowerShell Quality of Life Improvements – Code Testing

PowerShell has been around for 15 years now. One of the changes that has happened in the IT industry in that time is the rise of DevOps, and the associated tools and technology with it. If we consider the process of creating and consuming PowerShell scripts, it can be applied to the major stages of software development – test, build, release. By using the methods associated with this, we can look at improving the quality of PowerShell code we deliver.

Why Do Code Testing?

Code testing can cover a broad spectrum of activities. At the most basic end is syntax checking or a “linter” to perform static code checking. At the complex end, there’s things like unit tests. For the sake of this example, I’ll be using a “linter”, the PS Script Analyzer. By using such a tool on our code, we can establish whether it meets minimum quality requirements. PS Script Analyzer comes with an array of built-in rules and can be extended with your own rules.

Creating The Code Test Pipeline

The first step is to create a pipeline that will perform the code testing activities. In my case, I’m using Azure DevOps, but a similar approach can be used with Github. The pipeline itself is relatively simple, with two tasks. One will install the PS Script Analyzer module, as it’s not installed by default on Azure DevOps agents. The second task will execute the analysis process. The pipeline code is shown below:

Read more

vRealize Automation 8.6.2

Normally I wouldn’t write about a minor release but in this case I think it’s worth mentioning. On 18th January, VMware released version 8.6.2 of vRealize Automation. The big item in this release is that log4j has been updated to resolve some of the vulnerabilities that have been discovered.

Log4J Updated to 2.17

Starting in December 2021, a number of vulernerabilities were discovered in the Log4J logging utility. Log4j is used in a lot of other products to allow easy logging functionality. The first vulnerability, dubbed “Log4Shell”, was given a CVSS score of 10. The CVE ID assigned was CVE-2021-44228. As per the Release Notes, this is one of the CVEs that 8.6.2 resolves.

The second vulnerability mentioned in the Release Notes is CVE-2021-45046. Like the first vulnerability, it can also be exploited remotely and was considered quite severe. There have been two further vulnerabilities that have been discovered, however according to VMware, they can’t be exploited on their products.

Resouce Center

One key interface change is the Deployments tab is now called Resources. It seems the intent here is to create a consolidated view of all resources and integrate day 2 actions. There’s also the ability to quickly create a simple VM in this area, without the need for a Cloud Template. How useful that ends up being is up for debate.

Final Thoughts

As with a lot of the updates over 2021, this one adds a few nice improvements. The official fix for Log4j is reason enough to get on this version.