VMSA-2022-0007 – VMware Tools vulnerability

VMware have published a new security advisory relating to VMware Tools for Windows. It affects v10 and 11 of the Tools. The vulnerability allows a user with local admin rights in the guest OS to acquire system privileges.

The version with the fix for this vulnerability is 12.0.0. While this is a major version jump, from the release notes there doesn’t appear to be any major breaking changes. It still supports Windows as far back as 7 SP1/2008 R2 SP1.

vRealize Automation 8.6.2

Normally I wouldn’t write about a minor release but in this case I think it’s worth mentioning. On 18th January, VMware released version 8.6.2 of vRealize Automation. The big item in this release is that log4j has been updated to resolve some of the vulnerabilities that have been discovered.

Log4J Updated to 2.17

Starting in December 2021, a number of vulernerabilities were discovered in the Log4J logging utility. Log4j is used in a lot of other products to allow easy logging functionality. The first vulnerability, dubbed “Log4Shell”, was given a CVSS score of 10. The CVE ID assigned was CVE-2021-44228. As per the Release Notes, this is one of the CVEs that 8.6.2 resolves.

The second vulnerability mentioned in the Release Notes is CVE-2021-45046. Like the first vulnerability, it can also be exploited remotely and was considered quite severe. There have been two further vulnerabilities that have been discovered, however according to VMware, they can’t be exploited on their products.

Resouce Center

One key interface change is the Deployments tab is now called Resources. It seems the intent here is to create a consolidated view of all resources and integrate day 2 actions. There’s also the ability to quickly create a simple VM in this area, without the need for a Cloud Template. How useful that ends up being is up for debate.

Final Thoughts

As with a lot of the updates over 2021, this one adds a few nice improvements. The official fix for Log4j is reason enough to get on this version.

VMSA-2021-0020 – 19 vulnerabilities on vCenter

VMware published a new security advisory overnight (VMSA-2021-0020) and it’s a big one. In total, it lists 19 vulnerabilities affecting multiple versions of vCenter. The most serious of the vulnerabilities is the first one – CVE-2021-22005. This vulnerability allows an attacker to upload files to vCenter. This vulnerability could then be used as an avenue to execute code. It’s been giving a CVSS score of 9.8

The second most worrying item on the list (CVE-2021-21991) allows an attacker to escalate their priveleges to Administrator level in the vSphere web interface. This vulnerability has been scored at 8.8.

The resolution for all these vulnerabilities is to update vCenter to the appropriate version. The advistory lists these, and I’ve produced a condensed version below.

Product/VersionUpdate ToNotes
vCenter 7.07.0 U2dThe majority of issues are fixed by going to U2c. U2d resolves CVE-2021-22011 and CVE-2021-22018
vCenter 6.76.7 U3oThis version will resolve all the associated issues with 6.7
vCenter 6.56.5 U3q This version will resolve all the associated issues with 6.5

Given the nature of some of these vulnerabilities, this would be one to get onto ASAP.

vRealize Automation 8.5 Released

A few days ago, VMware released an update for vRealize Automation (vRA). The list of improvements seems relatively minor this time, as detailed in the Release Notes. It seems the biggest change was mentioned in the blog announcement for this release, where vRA is moving to monthly releases. Since these updates are feature focused, that potentially means a more frequent update cycle for administrators. Hopefully this means the update process will become smoother going forward. From personal experience, it’s been a bit hit and miss.

vRealize Automation 8.4 Released

VMware have released another update to vRealize Automation (vRA) 8. Like 8.3, I had issues updating to this version using Lifecycle Manager. This is why I never got around to writing about the 8.3 release. I ended up doing a fresh installation of 8.4 to see what’s new and changed.

What’s New

Going through the Release Notes, it seems that this release is a set of incremental changes. There is a change to how the Access Token for the API functions, which could have an impact on those who are leveraging the REST API. As per the notes, there’s also been a lot of improvements to accessibility. It’s good to see VMware pushing ahead with this sort of initiative.

Read more

Remediating VMSA-2021-0002 – Potential Issues

In late February, VMware published their second security advisory for 2021. It contained contained three items:

  • CVE-2021-21972 – A remote code execution vulnerability in vCenter that has a CVSS score of 9.8
  • CVE-2021-21974 – A vulnerablity in OpenSLP, which is used in ESXi. This one has a CVSS score of 8.8
  • CVE-2021-21973 – Another vCenter vulnerability that was rated with a CVSS score of 5.3

Given the product versions affected, most organisations with relatively up to date virtualisation infrastructure would be at risk from these items. While testing and simulating the update process, I ran into some issues that might be worth publishing for a broader audience.

Read more

vRealize Automation 8 Pricing Cards

Pricing cards allows your vRA consumers make informed decisions on the costs of infrastructure they provision. The functionality is similar to what was available when vRealize Cloud for Business was integrated with vRA 7.

Enabling Pricing Cards

To enable Pricing Cards, a few prerequisites need to be undertaken. Firstly, the vRealize Operations appliance needs to be configured to use the same time zone as the vRealize Automation appliance. By default, both appliances will use UTC as their timezone setting. So as long as you haven’t changed anything on either, this is just a verification step. You also need to configure a currency in vROPS.

Read more

vRA 8 and phpIPAM

IP address management (IPAM) is one of those areas that suddenly becomes important when infrastructure automation is implemented. In the past, an IT team may have used an Excel spreadsheet for manually tracking address assignments. When the number of servers being provisioned increases due to automation, this manual approach isn’t viable anymore. An alternative could be to just allow dynamic addressing using DHCP but that raises its own issues (for example, some server-based applications insist on a static address).

There’s a lot of products out there that do IPAM. I’ve previously used the product from SolarWinds, in my home lab I use phpIPAM. In both situations, the use of the IPAM product was similar – a vRealize Orchestrator (vRO) Workflow would request an IP address during the provisioning of a virtual machine. A matching Workflow would execute when the virtual machine was decommissioned, signalling the IPAM system to release the IP address for reuse.

As part of the process in moving my home lab setup from vRA 7.x to 8.x, this is one of the functions I’d like to carry across.

Read more

Close Bitnami banner
Bitnami