VMware vRealize Operations 8.6.1 is Now Available

December 8, 2021

Reading time: 4 minutes

vRealize Operations has received its latest update on December 7, 2021. vRealize Operations 8.6.1 is a maintenance release which resolves several important security, performance, stability, and functionality issues identified in the product.

Issues Resolved

The following issues have been resolved as of vRealize Operations 8.6.1:

vRealize Operations firstboot doesn’t complete successfully after deployment.
Agent stopped automatically post content update for applications having jolokia2 plugin.
Moved the running Custom Script feature using Telegraf to ADV license.
MP doesn’t appear in Installed Integrations section, after activation process appears to be completed.
C:\VMware\UCP\salt\nssm.exe - Access is denied issue during content upgrade.
Alerts: Selected recommendations are not shown in “Polices” tab.
Cloud Proxy: /storage/log usage is 100% because of haproxy-traffic.log.
vRealize Operations 8.6 MTD cost for VM showing negative.
vRealize Automation adapter instance is going into the down state, when there is at least 1 VC instance added in integration, with realTime monitoring option.
vRealize Network Insight MP collects VMs partly with VC read-only user.
Delete old snapshots job does not delete all snapshots older than specified days in case the VM has multiple snapshots with different ages.
vRealize Log Insight and vRealize Automation Management Packs are no longer are activated by default.
Analytics service restarts on “to be alive” FD nodes in CA enabled cluster while happening split brain between fault domains.
ERROR - Failed running upgrade: ‘str’ object has no attribute ‘status’.
Change API request/response and Swagger defaults to JSON.
Configuration of custom-script via rest-api call is failing if there is configured, at least, one custom script instance.
Dashboard configuration getting Stuck or not Completed while Importing Dashboard or Changing the Ownership of Dashboard. Dashboards not populating data, showing hourglass on widgets and cannot be edited.
GET /internal/optimization/{id}/reclaim does not return the reclaimable resources, instead brings them as excluded.

Third Party Vulnerabilities Resolved

The following CVEs have been resolved as of vRealize Operations 8.6.1:

CVE-2021-39275 - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-25741 - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
CVE-2019-9946 - Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes.
CVE-2019-11248 - The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet’s healthz port.
CVE-2021-25741 - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
CVE-2021-43057 - An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a.
CVE-2021-41864 - prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.
CVE-2021-42252 - An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6.
CVE-2019-19449 - In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds read access in f2fs_build_segment_manager in fs/f2fs/segment.c, related to init_min_max_mtime in fs/f2fs/segment.c (because the second argument to get_seg_entry is not validated).
CVE-2021-38300 - arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context.
CVE-2021-40490 - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.
CVE-2021-41617 - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected.
CVE-2021-31607 - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion.
CVE-2021-42340 - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak.
CVE-2021-3796 - vim is vulnerable to Use After Free
CVE-2021-40690 - All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the “secureValidation” property is not passed correctly when creating a KeyInfo from a KeyInfoReference element.