vmware has recently released a patch for their vSphere 4.0 product line, which affects both ESX and ESXi.

Details from vmware;

We are pleased to inform you that a new VMware ESX 4.0 Patch is available as of April 28, 2011.

Improvements included in this patch:

• An update for the Certificate Revocation List (CRL) to revoke an RSA key that HP uses for code signing certain software components
• Remediation of a denial of service possibility. By sending malicious network traffic an attacker could exhaust the available sockets which would prevent further connections to the host
• Refinements in handling of shared folders

Detailed information regarding resolved and known issues and enhancements can be found at ESX 4.0 Patch Release Notes

• http://kb.vmware.com/kb/1037260
• http://kb.vmware.com/kb/1037261

VMware ESX 4.0 Patch is available for download at:
Download VMware ESX 4.0 Patch http://www.vmware.com/patch/download/.

Thanks,

VMware vSphere Product Management Team

One of the patches included (ESX400-201104401-SG for ESX and ESXi400-201104401-SG for ESXi) resolves a couple different issues, one updates the Certification Revocation List (CRL) to revoke a key that HP uses for code-signing certain software components. HP server contains a new key pair and has re-signed the affected software components with the new key. What this means is that if you apply this patch on a HP server and you are using specific HP management agents (like the HP Management Agent for VMware ESX 4.x) you will need to download the software with the updated key and re-install it.

The other fix within the above mentioned patch resolves a potential denial of service attack against the vmkernel over it’s management interface. When an attacker exhausts all available sockets the ESX(i) host will become inaccessible via vCenter or the vSphere client. Virtual Machines will continue to run and have network connectivity, but the ESX(i) host may need to be rebooted in order to be able to connect to the machine again. The ESX(i) system might intermittently lose connectivity caused by applications that do not correctly close sockets. If this occurs, an error message similar to the following might be written to the vpxa log file:
socket() returns -1 (Cannot allocate memory)
An error message similar to the following might be written to the VMkernel log file:
socreate(type=2, proto=17) failed with error 55
The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-1785 to this issue. More information on this patch can be found in KB 1037258 (ESX) and KB 1037259 (ESXi).

Another patch, specific to ESXi (ESXi400-201104402-BG), has also been released. The only information on this patch can be found in KB 1037553 which states “This patch improves the way shared folders are handled.”.

Posted under vSphere

For those of you still running the VI 3.0 suite of vmware products will be happy to know that vmware hasn’t forgotten about you. There was a recent release of version 3.0.3 for ESX which pretty much covers some vulnerabilities in the service console. The biggest piece of this patch is the fact that it will be required if you plan on obtaining upgrades after June 1, 2011. The reason for this is because the secure key RPM needs to be updated, which is included in the 3.0.3 patch bundle, more information on this can be found in KB 1031235.

Here is some more information from the release notes;

Improvements included in this patch:

• The service console RPM for krb5 is updated to krb5-libs-1.2.7-72. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1321 to the security issue that this update addresses.
• The service console RPMs for Samba are updated to samba-3.0.9-1.3E.18vmw,
  samba-common-3.0.9-1.3E.18vmw, and samba-client-3.0.9-1.3E.18vmw versions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE -2009-2906,
  CVE-2010-2063, and CVE-2010-3069 to the security issues that this update addresses.
• To continue applying patches on ESX 3.0.3 hosts, you must update the secure key RPM
  before June 1, 2011. This patch updates the secure key.

Detailed information regarding resolved and known issues and enhancements can be found at ESX 3.0.3 Patch Release Notes:

• http://kb.vmware.com/kb/1031234
• http://kb.vmware.com/kb/1031235
• http://kb.vmware.com/kb/1031238

VMware ESX 3.0.3 Patch is available for download at http://www.vmware.com/patch/download/.

Posted under VMware

As handful of patches have just been released by VMware for their flagship bare-metal virtualization products ESX and ESXi.

With no surprise to me the majority of the patches are for ESX and relate to security flaws and vulnerabilities found within the Service Console.  Keep in mind these vulnerabilities in no-way mean the virtual machines being hosted are at risk. These patches are typically for underlying services that the Service Console rely on, such as openssl, java, gzip and ntp. Sometimes these patches also resolve issues on how the Service Console communicates with the vmkernel layer as well as system devices.

Two of the patch bundles for ESXi share some common fixes with it’s ESX brother which cover a NTP vulnerability, a shared interrupt issue between the vmkernel and console as well as a patch that properly enables quiescing utilizing the Microsoft Windows VSS components found in Windows 2008 R2 and Windows 7.

More information on these patches can be found by reviewing the individual bundles;

ESX 4.0 - ESX400-201005001
Includes 9 updates, including fixes for NTP, gzip, bind, vmkernel, krb5, webCenter, Expat, sudo and gcc.

ESXi 4.0 - ESXi400-201005001
Includes two updates, ESXi400-201005401-SG for the ESXi firmware and ESXi400-201005402-BG for VMware Tools.

For updating your ESX(i) hosts, simply use Update Manager or download the patches from the VMware website and use the Host Update Utility to perform these updates.

Posted under vSphere

A new patch has been made available for ESX 4.0 Update 1, this is called Update 1A. It only affects ESX and not ESXi. Here is an except of the alert put out by VMware:

ESX 4.0, Update 1, Alert: Upgrading ESX 4.0 to 4.0 U1 can fail or time out and leave the host in an unusable state if using HP Systems Insight Management Agent. ESX 4.0 Update 1a (a re-release of ESX 4.0 Update1) that addresses this issue is available. Please read KB article (ID 1016070) before proceeding with the upgrade.

As I said above, this patch is listed as ESX 4.0 Update 1A and can be found on the VMware Downloads website, or from within VMware Update Manager.

Posted under vSphere

VMware recently released a patch, ESX350-200904401-BG which resolves a number of issues, which can be found in KB1010126.

The biggest fix that has affected me lately is, “Fixes an issue where an unsuccessful online consolidation might cause a virtual machine to fail and become unusable because of a CID mismatch.”

I recently ran into some problems with some virtual machines that have high I/O failing during the commit of a snapshot, I discussed this in an earlier post which can be found here.

I’d highly recommend anyone running ESX 3.5 to apply this update as it resolves a lot of known issues that can affect VM performance and stability.  Always remember to follow proper patching procedures, thoroughly test the patch install and verify before placing production Virtual Machines back on the host.

Posted under ESX 3.5 Tips

VMware has released the latest update to its ESX(i) 3.5 flagship product, Update 4.  It is strongly recommended that you upgrade to VMware vCenter 2.5 Update 4 prior to upgrading your ESX hosts.  Updates such as this one typically include a number of system improvements and also all of the patches available in-between it and the previous update available. Numerous driver additions and updates have been added to this update roll-up, including;

Read More…

Posted under ESX 3.5 Tips, ESXi 3.5 Tips

In a previous article I discuss how an ESX host can halt if LUN metadata updates are done the same time a LUN path fails.  Thankfully VMware has released a patch for this problem, along with a few others.  I strongly suggest you to upgrade if your running VMware ESX 3.5 U3 and block level storage.

Read More…

Posted under ESX 3.5 Tips, ESXi 3.5 Tips, Storage

After seeing a mention on Scott Lowe’s blog (blog.scottlowe.org) and on Storage Monkeys Blog (blogs.storagemonkeys.com) I’ve decided to discuss the issue(s) that I’ve came across in regards to disabling NFS Locking with the NFS.LockDisable=1 function.

Read More…

Posted under ESX 3.5 Tips, ESXi 3.5 Tips, NetApp, Storage, VMware, VMware HA

This all started back about a year ago when I decided to move my datastores from Fibre Channel to NFS. The data was already on a NetApp FAS960c so I was enjoying thin provisioning and snapshots…but I wanted more!

Read More…

Posted under ESX 3.5 Tips, ESXi 3.5 Tips, NetApp, Storage, VMware, VMware HA