As per Security Advisory VMSA-2018-0007, VMware has begun releasing virtual appliance updates to address side-channel analysis due to speculative execution vulnerabilities. One of the first virtual appliances VMware has patched is vCenter 6.5. The latest release, vCenter 6.5U1f, patches the VCSA’s Photon OS to address Spectre-1 (CVE-2018-5753) and Meltdown (CVE-2017-5754) vulnerabilities. Mitigations for Spectre-2 (CVE-2017-5715) are absent from the latest patch as Spectre-1 and Meltdown mitigations were ready to be released; whereas, Spectre-2 is still being prepared.
- Spectre-1: Bounds Check Bypass (CVE-2018-5753) – Patch 6.5U1f
- Spectre-2: Branch Target Injection (CVE-2017-5715) – Patch Pending
- Meltdown: Rogue Data Cache Load Issues CVE-2017-5754) – Patch 6.5U1f
Patch VMware vCenter Appliance from VAMI
For this example, we utilize URL patching to update vCenter 6.5 to 6.5U1f from the vCenter Server Appliance Management Interface. URL patching will go out to the VMware Repository, check for updates, and patch the VCSA to the latest version.
To begin, log into the vCenter Server Appliance Management Interface at https://vcsaIP:5480. From the Navigator, select Update. Under the Check Updates drop-down, select Check Repository.
On occasion, administrators may need to import and export Zerto Virtual Protection Group (VPG) settings. Whether you need to export settings prior to un-installing Zerto and import settings after re-install or simply need a settings backup, Zerto has a utility to perform this. Let’s walk through the process of exporting and importing Zerto VPGs.
Export Virtual Protection Group (VPG) Settings
To begin, launch the Zerto Diagnostics application. You can either search your Programs for Zerto Diagnostics or launch the program from C:\Program Files\Zerto\Zerto Virtual Replication.
After launching the Zerto Diagnostics application, select the Export Virtual Protection Group (VPG) settings radio and click Next.
Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.
As per the initial VMware Security Advisory, the specified patches should be applied for remediation. Remember, these patches remediate known issues. Definitely, watch for additional patches as exploits may continue to surface. If you are needing to patch your ESXi host per the advisory, you can do so through VMware Update Manager (VUM).
Update – VMware has removed patches to address Hypervisor-Assisted Guest Mitigation (VMSA-2018-04).
As a recap, patches have been released to address Hypervisor-Specific Remediation (VMSA-2018-02) and
Hypervisor-Assisted Guest Remediation (VMSA-2018-04). For more detail, check out this VMware KB detailing these responses.
VMware Patch Numbers for ESXi Versions (VMSA-2018-02):
- ESXi 6.5 – ESXi650-201712101-SG
- ESXi 6.0 – ESXi600-201711101-SG
- ESXi 5.5 – ESXi550-201709101-SG
- This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753
VMware Patch Numbers for ESXi Versions (VMSA-2018-04)
ESXi 6.5 – ESXi650-201801401-BG, ESXi650-201801402-BG
ESXi 6.0 – ESXi600-201801401-BG, ESXi600-201801402-BG
ESXi 5.5 – ESXi550-201801401-BG
For this example, we will be patching VMware ESXi 6.5 with patch ESXi650-201712101-SG. Additional patches can be applied in the same manner. Read the release notes or security advisories before patching as other components may need to be patched first.
For the second part of our Zerto Replication install series, we are going install the Virtual Replication Appliances (VRAs) as well as pair our protected site to a recovery site.
First, let’s look at the Virtual Replication Appliance(s). VRAs are lightweight, Linux-based virtual machines that handle replication between sites. These VRAs are installed on each host that houses either a protected or a recovery virtual machine. As part of replication, the VRAs compress the data before traversing between sites.
VRA Requirements (Zerto 5.x – VMware Environment)
- 5 GB datastore space
- A minimum of 1 GB memory
- VMware ESXi 4.0U1 or higher
Install Zerto Virtual Replication Appliances (VRA)
From the ZVM Dashboard, navigate to the Setup tab.
One of my favorite aspects regarding Zerto Replication is the ease of deployment. In this series, we will run through the installation and configuration of Zerto 5.5 for VMware environments. The series will consist of three parts to get Zerto Replication up and running.
- Zerto Virtual Manager (ZVM) Install
- Virtual Replication Appliance (VRA) Deployment/Site Pairing
- Virtual Protection Group (VPG) Setup for Virtual Machines
The focus of today’s post is the Zerto Virtual Manager (ZVM) installation. If you are unfamiliar with the ZVM, it is the centerpiece of the Zerto solution, which oversees replication. It taps into vCenter server to monitor your environment and update Zerto components. Furthermore, the ZVM runs as a Windows service and serves up a user interface to manage Zerto activities. Typically, the ZVM is installed at both the recovery and protected sites.
Before we start, let’s look at some pertinent requirements.