Unless you’ve been living under a rock the past couple days, you’ve likely been seeing many articles regarding CVE-2021-44228 which describes a remote code execution vulnerability within Apache Log4j. Apache Log4j is a Java-based logging utility used by many applications across the world, and as such, this vulnerability is a huge issue due to how easy it is to exploit as well as the sheer number of vulnerable devices. Like most companies with Java based applications, many of VMware’s products utilize Log4j to provide application logging capabilities.
I just wanted to provide a quick post to bring attention to the latest VMware Security advisory VMSA-2020-0009. The products affected include: vRealize Operations 7.5.0 vRealize Operations 8.0.x vRealize Operations 8.1.0 If you utilize the vRealize Operations Application Remote Collector (ARC) appliance to monitor operating systems or applications via the Telegraf agents, you should immediately implement the workaround documented in VMware KB79031. While two vulnerabilities were announced, both relating to Salt, an open-source project by SaltStack, the authentication bypass vulnerability (CVE-2020-11651) received a CVSSv3 base score of 10.
On April 23, 2020, the Defense Information Systems Agency (DISA) has made available the third update to VMware vSphere 6.5 STIGs originally released in 2019. VMware vSphere 6.5 STIG Version 1, Release 4 includes minor updates to both the ESXi and the vCenter Server STIGs. Per the revision history provided in the updated STIG download, the following changes were made: VMware vSphere 6.5 ESXi STIG V-100543 – Reinstated requirement The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
With the new 64-core AMD EPYC processors available and the 56-core Intel Xeon on the horizon, it was bound to happen… On February 3, 2020, VMware announced that effective April 2, 2020, all per-CPU licensed products will be limited to 32 physical cores per CPU license. This change means that those shiny new 64-core processors will require the purchase of 2 CPU licenses for each processor going forward. This change affects all per-CPU licensed products, including vSphere, vSAN, NSX, and Enterprise PKS, to name a few.
I have been using vRealize Operations to monitor the compliance of virtual machines against the DISA VMware vSphere Virtual Machine STIG for quite some time now. With the release of the new VMware vSphere 6.5 Virtual Machine STIG, I have discovered that vRealize Operations does not collect all the necessary information out of the box to verify compliance with the new STIG rules. Rather than waiting for VMware to provide an update to vRealize Operations, I decided to utilize vRealize Orchestrator to add custom properties to the virtual machines in vRealize Operations using the vRealize Operations REST API.