vToolbelt – March 2022

byArron King 03.01.2022 vToolBelt

Welcome to March everyone!  For those of us in the mid-western US, this is the moment we start looking forward to nice weather!  It’s also a time when all VMware products have LOG4J patchesavailable.  VMworld’s call for papers will be coming soon and there is generally a need and a feeling for a fresh start!

Hot topics

Product Support Watch

The following products are nearing the End of General Support.  You can find the full list on the VMware Lifecycle Product Matrix.

Horizon View / Workspace ONE

  • Dynamic Environment Manager 9.9 – 3/17/22
  • Dynamic Environment Manager 9.11 – 3/17/22
  • Dynamic Environment Manager 10/2006 – 8/11/22
  • App Volumes 4 – 7/9/22
  • Horizon 7.10 ESB – 3/17/22
  • Identity Manager 3.3.3 – 5/11/22
  • Identity Manager 3.3.4 – 8/4/22
  • Workspace ONE UEM Console 2008 – 3/15/22
  • Workspace ONE UEM Console 2010 (SaaS Only) – 4/14/22
  • Workspace ONE UEM Console 2011 – 7/15/22
  • Workspace ONE Access 20.10 – 5/2/22
  • vRealize Automation 7.6 – 9/1/22
  • vRealize Operations 8.1.1 – 7/9/22

 

Notes from the Field

The VMware Communities forum has been redesigned to provide a better experience- check it out today at  communities.vmware.com.

New version of RVTools is available – If you have never used this free tool, you should check it out.  It can be used to gather a quick inventory of your environment with some very good detail.  It also provides a quick health check tab that calls out information about long running snapshots, VMs that were removed from inventory but not from disk.  The 20 minutes it would take for you to use this tool (from download to run to review) could save you quite a bit of time and help tidy up your environment.

If you haven’t mitigated your VMware Horizon environment for LOG4J yet – check out this TAM Lab Video which covers remediating your Horizon environment against LOG4J.

 vSphere 7.0 U3c is available
As many of you know several versions of ESXi 7.0 were pulled from VMware download repositories on November 18th 2021.   These include:

  • ESXi 7.0U3, U3a, and U3b were removed
  • vCenter version U3b was also removed from all repositories
  • For additional details on this topic, please see KB86398

In replacement of these releases, on January 27th at 7:30pm PST VMware released vSphere 7.0 U3c. Among other updates, two major components included in this release are:

  1. Remediation for the Apache log4j vulnerabilities – updates log4j modules to version 2.17
  2. Final Resolution for the vSphere 7.0 Update 3 critical issues documented in KB86281

There are some important changes to the upgrade process for vSphere 7.0U3c.  The release notes cover this in detail.  The highlights:

  • Customers should run a “standalone” pre-check validation script, in advance, detailed in KB87258 to determine which hosts will be impacted.  This could be run prior to the vCenter Server upgrade to know the risk and remediate before scheduling vCenter Server upgrade window.
  • Upgrading to vCenter Server 7.0U3c now requires an additional pre-check to evaluate every ESXi host in the vCenter inventory for any that have a known driver conflict that needs to be remediated before the vCenter Server upgrade will complete.  This precheck runs early in the upgrade process.  If the pre-check fails, host remediation will be required prior to restarting the vCenter Server upgrade.  Please see KB86447 for full details on the two ESXi host remediation options. You can upgrade ESXi hosts that you manage with either baselines or a single image, by using the ESXi ISO image with an upgrade baseline or a base image of 7.0 Update 3c respectively. Do not use patch baselines based on the rollup bulletin.
  • The upgrade pre-check may fail if the ESXi 7.0 U2c/U2d hosts exist in a vSphere Lifecycle Manager (vLCM) image-enabled cluster.
  • Note:  7.0 Update 2 or any earlier version are not subject to this driver conflict.  The upgrade should commence as normal.  The upgrade order remains the same (vCenter Server first, followed by ESXi hosts).

VMware’s response to the Apache Log4J vulnerability –  On 12/10/21, the Apache Log4J project disclosed a zero-day vulnerability in CVE-2021-44228.

  • VMware Security Advisory VMSA-2021-0028 was published  to document the impact to VMware Products.    This is an on-going event – please check back at this URL for updates as the develop
  • All VMware products have been patched.  The security advisory link above contains information on the patched versions
  •  If you operate VMware Horizon – please review the additional guidance on VMware Horizon on LOG4J from the VMware Security Engineering team.

Booting ESX hosts from SD-Cards

A TAM Customer webinar in December 2021 covered this extensively. If you were unable to attend the webinar live, you can watch the recording.

KB 83376 – discusses the issues that can arise when the SD card boot device has exhausted its write capability.  This KB also describes a work around VMware has developed to allow low endurance SD Cards to work with vSphere 7 Update 2.  It involves a manual one-time config change which moves certain highly accessed files to a RAM Disk. vSphere 7.0 U3 automated this process.

While this should help with vSphere 7.x, I am not sure what the future holds for SD Cards as ESX boot devices.    If I had to guess, I would imagine that the I/O requirements will increase over time as ESX continues to evolve.

It is advisable to consider adding higher performance/endurance boot devices into a future budget or into your next hardware refresh plan.

Using OpenSSL to create certificate signing request with Subject Alternative Names

vToolbelt - April 2020
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.