2020
VMSA-2020-0009: vRealize Operations Authentication Bypass and Directory Traversal Vulnerabilities
Reading time: 2 minutes
I just wanted to provide a quick post to bring attention to the latest VMware Security advisory VMSA-2020-0009. The products affected include:
vRealize Operations 7.5.0 vRealize Operations 8.0.x vRealize Operations 8.1.0 If you utilize the vRealize Operations Application Remote Collector (ARC) appliance to monitor operating systems or applications via the Telegraf agents, you should immediately implement the workaround documented in VMware KB79031.
While two vulnerabilities were announced, both relating to Salt, an open-source project by SaltStack, the authentication bypass vulnerability (CVE-2020-11651) received a CVSSv3 base score of 10.
Monitoring Devices Using SNMP in vRealize Operations 8.1
Reading time: 15 minutes
VMware’s vRealize Operations is an excellent monitoring, analytics, and self-driving IT operations platform that supports numerous applications and infrastructure systems out of the box. Management packs are available from both VMware and third-parties to extend these out of the box capabilities to a wide variety of additional applications and infrastructure systems. Unfortunately, management packs aren’t available for every hardware device that you might need to monitor. In these situations, monitoring via SNMP might be your only choice.
DISA Releases Updated VMware vSphere 6.5 STIGs – Version 1, Release 4
Reading time: 2 minutes
On April 23, 2020, the Defense Information Systems Agency (DISA) has made available the third update to VMware vSphere 6.5 STIGs originally released in 2019. VMware vSphere 6.5 STIG Version 1, Release 4 includes minor updates to both the ESXi and the vCenter Server STIGs.
Per the revision history provided in the updated STIG download, the following changes were made:
VMware vSphere 6.5 ESXi STIG
V-100543 – Reinstated requirement The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
VMware vRealize Automation 8.0.1 – Hotfix 3 Released
Reading time: 2 minutes
It seems like it was just a few days ago that I was posting that vRealize Automation 8.0.1 Hotfix 2 was available. In reality, it was precisely 15 days ago. Nevertheless, on April 16, 2020, VMware released the third hotfix for vRealize Automation 8.0.1. Hotfix 3 (20 days after Hotfix 2) including seven fixes for Provisioning, the Service Broker, and vRealize CodeStream.
The hotfix can be installed using vRealize Suite Lifecycle Manager 8.
Getting Started with vSphere 7.0 Lifecycle Manager
Reading time: 9 minutes
In the early days of VMware ESX and VirtualCenter Server (now called vCenter Server), patching and upgrading ESX hosts was a manual and challenging task that required a significant amount of time from a virtual administrator to complete. This process included manually staging patch files as well as executing install and reboot commands to each ESX host. To simplify virtual infrastructure management, in 2007, VMware introduced a new feature with VMware VirtualCenter Server 2.