VMware vRealize Operations 8.6.1 is Now Available

Reading time: 4 minutes

vRealize Operations has received its latest update on December 7, 2021. vRealize Operations 8.6.1 is a maintenance release which resolves several important security, performance, stability, and functionality issues identified in the product.

Issues Resolved

The following issues have been resolved as of vRealize Operations 8.6.1:

  • vRealize Operations firstboot doesn’t complete successfully after deployment.
  • Agent stopped automatically post content update for applications having jolokia2 plugin.
  • Moved the running Custom Script feature using Telegraf to ADV license.
  • MP doesn’t appear in Installed Integrations section, after activation process appears to be completed.
  • C:\VMware\UCP\salt\nssm.exe - Access is denied issue during content upgrade.
  • Alerts: Selected recommendations are not shown in “Polices” tab.
  • Cloud Proxy: /storage/log usage is 100% because of haproxy-traffic.log.
  • vRealize Operations 8.6 MTD cost for VM showing negative.
  • vRealize Automation adapter instance is going into the down state, when there is at least 1 VC instance added in integration, with realTime monitoring option.
  • vRealize Network Insight MP collects VMs partly with VC read-only user.
  • Delete old snapshots job does not delete all snapshots older than specified days in case the VM has multiple snapshots with different ages.
  • vRealize Log Insight and vRealize Automation Management Packs are no longer are activated by default.
  • Analytics service restarts on “to be alive” FD nodes in CA enabled cluster while happening split brain between fault domains.
  • ERROR - Failed running upgrade: ‘str’ object has no attribute ‘status’.
  • Change API request/response and Swagger defaults to JSON.
  • Configuration of custom-script via rest-api call is failing if there is configured, at least, one custom script instance.
  • Dashboard configuration getting Stuck or not Completed while Importing Dashboard or Changing the Ownership of Dashboard. Dashboards not populating data, showing hourglass on widgets and cannot be edited.
  • GET /internal/optimization/{id}/reclaim does not return the reclaimable resources, instead brings them as excluded.

Third Party Vulnerabilities Resolved

The following CVEs have been resolved as of vRealize Operations 8.6.1:

  • CVE-2021-39275 - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
  • CVE-2021-25741 - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
  • CVE-2019-9946 - Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. 
  • CVE-2019-11248 - The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet’s healthz port.
  • CVE-2021-25741 - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
  • CVE-2021-43057 - An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a.
  • CVE-2021-41864 - prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.
  • CVE-2021-42252 - An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6.
  • CVE-2019-19449 - In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds read access in f2fs_build_segment_manager in fs/f2fs/segment.c, related to init_min_max_mtime in fs/f2fs/segment.c (because the second argument to get_seg_entry is not validated).
  • CVE-2021-38300 - arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context.
  • CVE-2021-40490 - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.
  • CVE-2021-41617 - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected.
  • CVE-2021-31607 - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion.
  • CVE-2021-42340 - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. 
  • CVE-2021-3796 - vim is vulnerable to Use After Free
  • CVE-2021-40690 - All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the “secureValidation” property is not passed correctly when creating a KeyInfo from a KeyInfoReference element.

Additional Information

Additional information regarding this release of vRealize Operations can be found at the following links:

See Also


Get Notified of Future Posts

Follow Me

LinkedIn Icon
Twitter/X Icon
Threads Icon
RSS Icon

Recent Posts