Unless you’ve been living under a rock the past couple days, you’ve likely been seeing many articles regarding CVE-2021-44228 which describes a remote code execution vulnerability within Apache Log4j. Apache Log4j is a Java-based logging utility used by many applications across the world, and as such, this vulnerability is a huge issue due to how easy it is to exploit as well as the sheer number of vulnerable devices. Like most companies with Java based applications, many of VMware’s products utilize Log4j to provide application logging capabilities.
Almost exactly 3 years after vSphere 6.7 was released (April 17, 2018) and approximately 17 months prior to the end of General Support (October 15, 2022), the Defense Information Systems Agency (DISA) made available the first STIGs for VMware vSphere 6.7 on April 22, 2021. The STIGs can be downloaded from the Public DoD Cyber Exchange STIGs Document Library by searching for “VMware vSphere 6.7”. What’s New? Unlike the previous VMware vSphere 6.
On April 23, 2020, the Defense Information Systems Agency (DISA) has made available the third update to VMware vSphere 6.5 STIGs originally released in 2019. VMware vSphere 6.5 STIG Version 1, Release 4 includes minor updates to both the ESXi and the vCenter Server STIGs. Per the revision history provided in the updated STIG download, the following changes were made: VMware vSphere 6.5 ESXi STIG V-100543 – Reinstated requirement The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
In the early days of VMware ESX and VirtualCenter Server (now called vCenter Server), patching and upgrading ESX hosts was a manual and challenging task that required a significant amount of time from a virtual administrator to complete. This process included manually staging patch files as well as executing install and reboot commands to each ESX host. To simplify virtual infrastructure management, in 2007, VMware introduced a new feature with VMware VirtualCenter Server 2.
While attempting to upgrade my ESXi hosts to the latest vSphere 7.0 release, I ran into the following error on all of the hosts in my home lab: The upgrade has VIBs that are missing dependencies. Remove the VIBs or use Image Builder to create a custom upgrade ISO image that contains the missing dependencies, and try to upgrade again. While the error message gives you a pretty good idea of what might be causing the issue, for the life of me, I couldn’t think of what VIBs it could be referring to.