VMware have published a new security advisory relating to VMware Tools for Windows. It affects v10 and 11 of the Tools. The vulnerability allows a user with local admin rights in the guest OS to acquire system privileges.
The version with the fix for this vulnerability is 12.0.0. While this is a major version jump, from the release notes there doesn’t appear to be any major breaking changes. It still supports Windows as far back as 7 SP1/2008 R2 SP1.
VMware once again requested applicants for their vExpert program. I was forunate enough to be accepted again.
|
|
|
VMware published a new security advisory overnight (VMSA-2021-0020) and it’s a big one. In total, it lists 19 vulnerabilities affecting multiple versions of vCenter. The most serious of the vulnerabilities is the first one – CVE-2021-22005. This vulnerability allows an attacker to upload files to vCenter. This vulnerability could then be used as an avenue to execute code. It’s been giving a CVSS score of 9.8
The second most worrying item on the list (CVE-2021-21991) allows an attacker to escalate their priveleges to Administrator level in the vSphere web interface. This vulnerability has been scored at 8.8.
The resolution for all these vulnerabilities is to update vCenter to the appropriate version. The advistory lists these, and I’ve produced a condensed version below.
| Product/Version | Update To | Notes |
|---|---|---|
| vCenter 7.0 | 7.0 U2d | The majority of issues are fixed by going to U2c. U2d resolves CVE-2021-22011 and CVE-2021-22018 |
| vCenter 6.7 | 6.7 U3o | This version will resolve all the associated issues with 6.7 |
| vCenter 6.5 | 6.5 U3q | This version will resolve all the associated issues with 6.5 |
Given the nature of some of these vulnerabilities, this would be one to get onto ASAP.
In June this year, VMware opened applications for their vExpert program. For those not familiar with it, it’s VMware’s “global evangelism and advocacy program”. A key part of it is giving back to the community. This can be via blog posts, helping people on VMware’s forums, participating in VMware user groups and so on. I threw my hat into the ring for it, without any real expectations.
Anyone who has worked with VMware products for any amount of time has ended up relying on the output created by people who are vExperts. I know I have. When viewing the list of people in the vExpert Directory, there was a lot of blog URLs that I recognised.
So when I got the email this week saying I was one of the lucky ones, it was a pleasant surprise. It’s an honor to be recognised by VMware for this. Congratulations to everyone else who got their vExpert awards this year.
vCloud Air is VMware’s public cloud offering, similar to Amazon’s AWS or Microsoft’s Azure. The key distincion between vCloud Air and these other offerings is that vCloud Air uses VMware’s products such as vSphere.
The VMWare User Group (VMUG) recently added free credits on vCloud Air OnDemand as part of their EVALExperience program. As the name suggests, vCloud Air OnDemand is a pay-as-you-go service. I looked at this service offering as a server engineer with a reasonable background in VMware, considering aspects such as the ease of basic tasks, general administration, technical considerations for the business (good and bad) and how it compares to other offerings.