VirtuBytes

Bytes of virtualization with bits of other technology.

Spectre/Meltdown Vulnerability – How to Patch VMware vCenter 6.5

As per Security Advisory VMSA-2018-0007, VMware has begun releasing virtual appliance updates to address side-channel analysis due to speculative execution vulnerabilities. One of the first virtual appliances VMware has patched is vCenter 6.5. The latest release, vCenter 6.5U1f, patches the VCSA’s Photon OS to address Spectre-1 (CVE-2018-5753) and Meltdown (CVE-2017-5754) vulnerabilities. Mitigations for Spectre-2 (CVE-2017-5715) are absent from the latest patch as Spectre-1 and Meltdown mitigations were ready to be released; whereas, Spectre-2 is still being prepared.

Variants:

  • Spectre-1: Bounds Check Bypass (CVE-2018-5753) – Patch 6.5U1f
  • Spectre-2: Branch Target Injection (CVE-2017-5715) – Patch Pending
  • Meltdown: Rogue Data Cache Load Issues CVE-2017-5754) – Patch 6.5U1f

Patch VMware vCenter Appliance from VAMI

For this example, we utilize URL patching to update vCenter 6.5 to 6.5U1f from the vCenter Server Appliance Management Interface. URL patching will go out to the VMware Repository, check for updates, and patch the VCSA to the latest version.

To begin, log into the vCenter Server Appliance Management Interface at https://vcsaIP:5480. From the Navigator, select Update. Under the Check Updates drop-down, select Check Repository.

Continue reading

Zerto Replication – Export/Import VPG Settings

On occasion, administrators may need to import and export Zerto Virtual Protection Group (VPG) settings. Whether you need to export settings prior to un-installing Zerto and import settings after re-install or simply need a settings backup, Zerto has a utility to perform this. Let’s walk through the process of exporting and importing Zerto VPGs.

Export Virtual Protection Group (VPG) Settings

To begin, launch the Zerto Diagnostics application. You can either search your Programs for Zerto Diagnostics or launch the program from C:\Program Files\Zerto\Zerto Virtual Replication.

Zerto Diagnostics

After launching the Zerto Diagnostics application, select the Export Virtual Protection Group (VPG) settings radio and click Next.

Zerto Export VPG

Continue reading

Update HPE Firmware and Drivers Using SPP and SUM

Administrators have a few different options for updating HPE infrastructure components. One popular way to update HPE firmware, drivers, and Smart Components is utilizing Service Pack for Proliant (SPP) and the HP SUM tool.

What are SPP and SUM?

SPP – Service Pack for Proliant is a collection of firmware, drivers and Smart Components that are deployed to your environment via the SUM tool. SPP is packaged as an ISO.

SUM – HP Smart Update Manager is the tool utilized to deploy updates to HP ProLiant Servers, Integrity Servers, BladeSystem infrastructure, and HP Moonshot Servers. SUM, by default, opens as a GUI. It can also be run in interactive CLI, CLI, or Linux RPM mode.

How does SUM and SPP work? SUM discovers nodes in your infrastructure and records their current firmware and drivers. It then checks the existing firmware/drivers against the SPP and provides update recommendations for admins to apply.

How to Update HPE Enclosures, Servers, and Fabric Components

Now that we have that under control. Let’s look at how to deploy updates to your HPE chassis, servers, and fabric components. If you haven’t done so already, download the SPP. The SPP should come with HP SUM.

After you have the pertinent downloads, mount the SPP iso locally. Locate and run the launch_hpsum batch file.

Continue reading

Zerto Replication – Create Virtual Protection Group

For the final chapter of our Zerto Replication install series, we will create a Virtual Protection Group (VPG) and start replicating virtual machines. As a recap, we have already installed the ZVM, paired the protected and recovery sites, and deployed VRAs.

What is a Virtual Protection Group?

Virtual Protection Groups essentially enable virtual machines to be affinity grouped. Meaning, you can define a group of vms that need to be recovered together. For example, an application that is comprised of a web server, database server, and app server could be grouped together, so they are recovered jointly. VPGs can also be grouped into tiers based on target RPOs. Virtual machines requiring different RPO levels can be grouped so that all critical machines recover together and less critical tiers can be brought up subsequently. It is also entirely possible to include just one virtual machine in a protection group. This provides flexibility in the event a single vm needs recovered as opposed to a group of vms.

Continue reading

Spectre Vulnerability – How to Patch VMware ESXi

Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.

As per the initial VMware Security Advisory, the specified patches should be applied for remediation. Remember, these patches remediate known issues. Definitely, watch for additional patches as exploits may continue to surface. If you are needing to patch your ESXi host per the advisory, you can do so through VMware Update Manager (VUM).

Update – VMware has removed patches to address Hypervisor-Assisted Guest Mitigation (VMSA-2018-04).

As a recap, patches have been released to address Hypervisor-Specific Remediation (VMSA-2018-02) and Hypervisor-Assisted Guest Remediation (VMSA-2018-04). For more detail, check out this VMware KB detailing these responses.

VMware Patch Numbers for ESXi Versions (VMSA-2018-02):

  • ESXi 6.5 – ESXi650-201712101-SG
  • ESXi 6.0 – ESXi600-201711101-SG
  • ESXi 5.5 – ESXi550-201709101-SG
    • This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753

VMware Patch Numbers for ESXi Versions (VMSA-2018-04)

  • ESXi 6.5 – ESXi650-201801401-BG, ESXi650-201801402-BG
  • ESXi 6.0 – ESXi600-201801401-BG, ESXi600-201801402-BG
  • ESXi 5.5 – ESXi550-201801401-BG

For this example, we will be patching VMware ESXi 6.5 with patch ESXi650-201712101-SG. Additional patches can be applied in the same manner. Read the release notes or security advisories before patching as other components may need to be patched first.

Continue reading

« Older posts

© 2018 VirtuBytes

Theme by Anders NorenUp ↑