VMware vCenter vulnerability

[Rendog]

Hi All, I hope this is the right section to post in, not sure if you are aware of the below but thought quite a few of us would be using vCenter at our work environments and would be worth raising...

https://www.7elements.co.uk/resourc...-remote-code-execution-within-vmware-vcenter/

 

[bad_ass_neil]

read about this in veeam forum email i get. Here the blurb stuck between a rock and ha hardplace with this one. running update 3 and not seeing any problems but people are.

"Unfortunately for VMware, public disclosure of a major security issue was already made along with Update 3 release, which supposedly fixes this hole. This puts vSphere 5.5 users in a tricky situation – neither they can stay on Update 2 (because of security vulnerability), nor they can update to Update 3 (because of KB2133118), nor they can upgrade to vSphere 6 (because of KB2124669). This makes it a pretty unique situation when there is simply NO usable VMware ESXi build of the latest versions available."

 

[Gammawolf]

read about this in veeam forum email i get. Here the blurb stuck between a rock and ha hardplace with this one. running update 3 and not seeing any problems but people are.

"Unfortunately for VMware, public disclosure of a major security issue was already made along with Update 3 release, which supposedly fixes this hole. This puts vSphere 5.5 users in a tricky situation – neither they can stay on Update 2 (because of security vulnerability), nor they can update to Update 3 (because of KB2133118), nor they can upgrade to vSphere 6 (because of KB2124669). This makes it a pretty unique situation when there is simply NO usable VMware ESXi build of the latest versions available."

Maybe i'm missing something, but if the security vulnerability is affecting vCenter then upgrade to 5.5U3 to fix it.
KB2133118 is related to the host version so don't upgrade your hosts to esxi 5.5U3 until they patch it?

 

[Deleted member 138126]

What winds me up is that VMware hasn't withdrawn ESXi 5.5 U3, so VUM still presents it, which could trip many people up.

 

[Little_Crow]

Cheers for the post,
I was literally at the install screen for ESXi 5.5U3 when I spotted this. I'm updating our last host from 5.1 and thought I may as well go with the latest version now that an HP image exists for it...

I also found this story on el reg - which sums it all up quite nicely.

 

[blueboy2001]

We've just downgraded a cluster from 6.0 U1 to 5.5 U3 because of major disk performance issues - although the host are running a massive SQL Always On cluster hosting ERP databases on SSD.

Not seen the snapshot commit bug yet and we look after a few clusters with 5.5 U3 so I'm not sure how prevalent it is.

Another one to watch out for is 6.0 U1 disables SSL v3 and stops Veeam taking backups - http://www.veeam.com/kb2063.

 

[Deleted member 138126]

We've just downgraded a cluster from 6.0 U1 to 5.5 U3 because of major disk performance issues - although the host are running a massive SQL Always On cluster hosting ERP databases on SSD.

Not seen the snapshot commit bug yet and we look after a few clusters with 5.5 U3 so I'm not sure how prevalent it is.

Another one to watch out for is 6.0 U1 disables SSL v3 and stops Veeam taking backups - http://www.veeam.com/kb2063.

Is there any documentation you could point me to with regards to the downgrade? Thinking of upgrading our 5.5 infra to 6 in the next 3-4 months, and we have Tier 1 SQL Servers, so would be keen to know. Thanks!

 

[blueboy2001]

There's no documentation, we've had to figure this one out ourselves.

The problem we had was that during big I/O on the VM the server would become almost unresponsive. It wouldn't crash completely, but for example the login screen would take like 10 minutes to accept a username and password and 10 minutes to start the login process. No matter how long you left it after the big I/O SQL job finished it would never recover, it would stay in the semi responsive state for a few days.

We had MS support looking at it from a SQL perspective and they ran lots of diagnostics which showed the disk performance basically slowed to a crawl and never recovered. HP looked at it as it was their hardware and they couldn't see anything wrong. As a last ditch attempt to fix it, we installed ESX 5.5 on the hosts and ran the VM's and theproblem has disappears - we've run a week worth of testing now and it hasn't missed a beat. We spun up an identical host with 6.0, loaded the VM and we can recreate the problem every time doing a checkdb job.

We'll be doing a lot more testing because we can't put the kit into production until the new year now.

 

[Lanz]

I have a task to update all our 5.1 hosts, the Boss wants 6.0 but I don't see the point as we don't use any of the features.

We have a 5.5U2 vcenter, so I'd rather just jump to 5.5 as then I can keep the vcenter. The big question is will we be happy with 5.5 for the next 3 years.

 

[Hellsmk2]

I have a task to update all our 5.1 hosts, the Boss wants 6.0 but I don't see the point as we don't use any of the features.

We have a 5.5U2 vcenter, so I'd rather just jump to 5.5 as then I can keep the vcenter. The big question is will we be happy with 5.5 for the next 3 years.

The bigger question is why would you still be on 5.5 in three years time?

 

[Gammawolf]

FYI, ESXi 5.5U3a has been released to fix the snapshot issue. vCenter was unaffected.

http://kb.vmware.com/selfservice/mi...nguage=en_US&cmd=displayKC&externalId=2133825

 

[ZedPowered]

Patched my kit today. Nice to get the fix to U3 so quickly.

 

[Deleted member 138126]

I have a task to update all our 5.1 hosts, the Boss wants 6.0 but I don't see the point as we don't use any of the features.

We have a 5.5U2 vcenter, so I'd rather just jump to 5.5 as then I can keep the vcenter. The big question is will we be happy with 5.5 for the next 3 years.

6.0 every day of the week. You can confidently use the vCenter appliance in production (was not the case before), the 6.0 web client is 100x quicker than previous versions.

 

[blueboy2001]

If you are using the v6 VCenter appliance make sure you put the A record in DNS and that you can get a forward and reverse lookup from the VM at the point you deploy it, or use the IP address in the FQDN field and ignore the warning.

Otherwise it won't start and you have to go through the deployment process again and delete the VM manually!

 

[Lanz]

Has anyone done a side by side upgrade of VCA 5.5 to 6.0?

 

[Deleted member 138126]

I never do upgrades. Instead, I do clean installs and bring the hosts over (bringing the VMs with them), then fresh reinstall of the hosts (a few at a time).

 

[Brozart]

Has anyone done a side by side upgrade of VCA 5.5 to 6.0?

I'd lean towards building a new VCSA and migrating the hosts manually if its a live environment

 

[anything I don't mind]

I moved to 5.5 relatively early on after release and there was quite a few issues with it, leading to purple screens due to using e1000 virtual nics. Due to this i now think its better to wait until after releases have been out for a while before moving to it.

I used update manager to go from esx host 5.1 to 5.5, super easy and quick to do.

Vcenter i always just build a new one and shut down the old one.

I'm glad i didn't move up to update 3 of 5.5 so quickly considering this snapshot issue. none of the vmware hosts or vcenter is internet facing so didn't see the immediate urgency.

Have not gone to 6 yet at any clients, heard there are some big changes though so might do one host with update manager then leave it on that for a few weeks before doing the other ones.

 

[Deleted member 138126]

Have not gone to 6 yet at any clients, heard there are some big changes though so might do one host with update manager then leave it on that for a few weeks before doing the other ones.

Have to do vCenter first though. =)

 

[anything I don't mind]

Have to do vCenter first though. =)

ye first do vcenter to 6 then do one host and put some low priority vms on it for few weeks.