VMware vSAN ESA – Your Storage Platform for VMware Cloud Foundation

At VMware Explore 2024, the session “VMware vSAN ESA: Your Storage Platform for VMware Cloud Foundation” provided a comprehensive look into how vSAN Express Storage Architecture (ESA) is transforming storage solutions for modern data centers. Led by Duncan Epping and Pete Koehler, this session highlighted the capabilities and benefits of vSAN ESA within VMware Cloud Foundation (VCF).

Key Features of vSAN ESA:

  1. Next-Generation Storage Architecture:
    • Designed to handle today’s and tomorrow’s workloads with efficiency and resilience.
    • Offers both aggregated and disaggregated configurations for flexible deployment options.
  2. Performance and Efficiency:
    • Erasure Coding with RAID-5/6: Delivers the performance of RAID-1 with the space efficiency of RAID-5/6, optimizing capacity while maintaining performance.
    • Granular Snapshotting: vSAN ESA integrates snapshots at the VM level without impacting performance, unlike traditional LUN-based snapshots.
  3. Data Protection and Management:
    • Integrated Data Protection: Includes scalable snapshots and simplified recovery options, making it easier to protect and recover VMs.
    • Protection Groups: Offers flexible and easy-to-manage options for snapshot frequency, retention, and immutability, supporting dynamic VM assignments.
  4. Flexible Deployment:
    • vSAN Max: Enables disaggregated storage for independent scaling of compute and storage resources, enhancing cost efficiency and operational flexibility.

Demystifying Distributed Security in VMware Cloud Foundation

In today’s evolving IT landscape, securing distributed environments is crucial. VMware Cloud Foundation (VCF) addresses these challenges head-on with its Distributed Security model. During the VMware Explore EU 2024 session titled “Demystifying Distributed Security in VMware Cloud Foundation,” experts Chris McCain, Tim Burkard explored the nuances of enhancing security within VCF environments.

Key NOTES:

  1. vDefend Distributed Protection:
    • This is VMware’s approach to ensuring secure communication between virtual machines (VMs) by enforcing strict security rules. The Distributed Firewall (DFW) policies, integral to vDefend, apply a Zero Trust model, allowing only authorized traffic and rejecting any unauthorized attempts.
  2. Granular Security Policies:
    • VCF’s Distributed Firewall offers granular control over security policies, allowing IT teams to define rules at both policy and individual VM levels. This flexibility ensures that security is tightly integrated into every layer of the infrastructure.
  3. Intrusion Detection and Prevention:
    • VMware’s Distributed Intrusion Detection and Prevention (IDP) system proactively monitors and prevents unauthorized activities. The IDP uses an extensive signature database to alert or block threats, ensuring real-time protection across the data center.
  4. Built-in Tools for Validation and Troubleshooting:
    • Tools like Traceflow and Live Traffic Analysis are pivotal for monitoring and validating security rules. These tools help IT professionals ensure that the DFW is functioning as intended and that traffic flow complies with security policies.

ESXi Hosts: The Data Plane

ESXi hosts, where VMs reside, are integral to enforcing NSX DFW rules. The following CLI commands can be run on ESXi hosts to manage and troubleshoot DFW settings at the host level:

  • List All the VMs dvFilter Names: Use summarize-dvfilter to list all dvFilters associated with VMs. dvFilters are kernel modules that apply firewall rules to VMs’ network traffic.
  • View IP and MAC Addresses for a dvFilter: To see the IP and MAC addresses related to a specific dvFilter, the command is
    vsipioctl getaddrsets -f <dvfilter-name>
  • List the Firewall Rules Applied on DvFilter: Retrieve the set of firewall rules applied to a dvFilter by executing
    vsipioctl getrules -f <dvfilter-name>
  • View Firewall Configuration for a dvFilter: To inspect the firewall configuration for a specific dvFilter, the command is
    vsipioctl getfwconfig -f <dvfilter-name>

NSX-T CLI on my blog.

Attend Sessions at VMware Explore 2024 – Plan Your Journey

VMware Explore 2024 is just around the corner, and it’s packed with insightful sessions and opportunities to learn from industry experts. With so much to explore, it’s crucial to plan your schedule, stay comfortable, and stay hydrated throughout the event. Here are my top session picks to make the most of your time at the conference.

Quick Tips for Attending:

  1. Wear Comfortable Shoes: You’ll be walking a lot between sessions, so good shoes are a must.
  2. Use the Event App: The VMware Explore app is a great tool for tracking your sessions, finding rooms, and staying updated with event news.
  3. Plan Your Sessions: Take some time to map out the sessions you want to attend so you can maximize your learning.
  4. Drink Plenty of Water: Keep yourself hydrated to stay energized throughout the day.

Recommended Sessions

New ESXi-Arm Fling based on 8.0 Update 3b

New ESXi-Arm Fling based on 8.0 Update 3b

I am very happy to share that the ESXi-Arm team has just released a brand new version of the popular ESXi-Arm Fling (v2.0), which is now based on ESXi 8.x codebase and specifically using the latest ESXi-x86 8.0 Update 3b release! This is a very exciting update, as the original release of […]

Broadcom Social Media Advocacy

Security Enhancements in Cisco UCS Release 4.3(5a): Key Vulnerability Fixes

With the Cisco UCS 4.3(5a) release, Cisco addresses multiple critical security vulnerabilities impacting UCS Manager, Fabric Interconnects, and compute nodes. These updates are essential for maintaining secure infrastructure as they address several vulnerabilities within third-party software dependencies. Here’s a rundown of the significant security fixes provided in this release.

1. CSCwb81661: Vulnerabilities in OpenSSL

Cisco UCS Manager now includes critical fixes for three vulnerabilities related to OpenSSL, which, if exploited, could impact cryptographic functions, certificate parsing, and script handling. Here’s a closer look at each vulnerability:

  • CVE-2021-4160: A bug in the squaring procedure of MIPS32 and MIPS64 processors could potentially allow attackers to exploit Diffie-Hellman (DH) cryptographic operations, which affects scenarios with shared DH private keys. Cisco has mitigated this vulnerability by upgrading to fixed OpenSSL versions, addressing this issue in OpenSSL 1.1.1m, 3.0.1, and later releases.
  • CVE-2022-0778: The BN_mod_sqrt() function in OpenSSL could enter an infinite loop when parsing certain elliptic curve certificates, leading to a denial of service (DoS). This could be triggered in scenarios involving TLS and certificate handling. Cisco’s update mitigates this risk with fixes provided in OpenSSL 1.1.1n, 3.0.2, and later versions.
  • CVE-2022-1292: A vulnerability in the c_rehash script could allow attackers to inject commands through improperly sanitized shell metacharacters. This script, now considered obsolete, is replaced by OpenSSL’s rehash command-line tool, which Cisco has now included to remove this potential risk.

2. CSCwk62264: OpenSSH Security Regression (CVE-2024-6387)

Cisco UCS 6400 and 6500 Series Fabric Interconnects, when operated in UCS Manager mode, were vulnerable to a security regression in the OpenSSH server (sshd). This flaw, stemming from an older race condition vulnerability (CVE-2006-5051), could allow unauthenticated attackers to exploit the sshd signal handling.

Cisco’s Solution: Cisco has patched OpenSSH within the UCS software stack, reinforcing the security of SSH operations in Fabric Interconnects to eliminate this race condition vulnerability.

3. CSCwk62723: OpenSSH Vulnerability in Serial over LAN (SOL) on Blade Servers and Compute Nodes

The UCS B-Series Blade Servers and X-Series Compute Nodes were also affected by the same OpenSSH race condition issue. This vulnerability could impact serial-over-LAN connections, which are essential for remote console access.

Cisco’s Solution: The update fixes this vulnerability by integrating the latest OpenSSH patch, safeguarding remote management sessions on UCS blade servers and compute nodes.

4. CSCwk75392: libexpat Denial of Service Vulnerability (CVE-2023-52425)

This vulnerability in libexpat could lead to a denial of service (DoS) attack due to resource-intensive parsing of large tokens. Cisco UCS Manager, which relies on libexpat for XML parsing, could be affected in scenarios that involve extensive parsing requirements.

Cisco’s Solution: The upgraded libexpat version now included in UCS Manager resolves this DoS vulnerability, ensuring that XML parsing operations are resilient against such resource exhaustion attacks.

Links: Release Notes for Cisco UCS Manager, Release 4.3

Cisco UCS Release 4.3(4a) Update: PSU view displays Power: Error BUG CSCwj01478

Cisco’s Unified Computing System (UCS) continues to innovate in providing a powerful platform for data center infrastructure, but even with frequent updates, occasional bugs arise. In the recent Cisco UCS release 4.3(4a), a notable issue surfaced with the deployment of the Cisco UCSX-9508 chassis, leading to a power status error in the Cisco UCS Manager (UCSM) interface.

This issue, identified as BUG CSCwj01478, involves PSU view displays Power: Error and Input Source: Unknown in UCSM that do not reflect the actual physical status of the hardware.

Symptom Overview

Users deploying the Cisco UCSX-9508 chassis, integrated with Cisco UCS 6454 Fabric Interconnects (FI) and the Cisco UCS 9108 25G Intelligent Fabric Module (IFM), may encounter the following symptoms:

  • Power Display Issue: In UCSM, the chassis power status shows as “Power: Error” and “Input Source: Unknown,” even though the physical server PSU LEDs are green, indicating normal operation.
  • Persistent Faults: Major faults associated with the power status do not resolve within UCSM, even after attempts to decommission and re-acknowledge the chassis.

While these symptoms do not affect the physical functionality of the power supply, the discrepancy in UCSM’s display can complicate administrative monitoring and fault management workflows.

Summary: As a personal workaround, I set the FAN policy to MAX, which temporarily resolved the issue. However, the release of 4.3(4a) has now provided an official solution.

Links: Release Notes for Cisco UCS Manager, Release 4.3

Recovering ESXi 7.x & 8.x host after forgetting…

Recovering ESXi 7.x & 8.x host after forgetting…

The general guidance and quickest way to recover an ESXi host if you have forgotten or lost the root password is to reset using vSphere Host Profiles if it was managed by vCenter Server or simply reinstall ESXi which would allow you to preserve the existing VMFS volumes along with any workloads [..]

Broadcom Social Media Advocacy

Critical Security Alert: Update to Fixed Version 8.0 U3d Immediately

Urgent Notice from VMware by Broadcom

VMware has announced that the security patches released on September 17, 2024, intended to address CVE-2024-38812, did not fully mitigate the vulnerability. As a result, all customers are strongly advised to update to the latest version, 8.0 U3d, immediately. Patches for the 8.0 U2 line are also available to address this issue.

This urgent advisory applies to all vCenter Server users, as the newly identified vulnerabilities pose a significant security risk. Notably, two critical vulnerabilities were reported in vCenter Server, including a heap-overflow vulnerability and a privilege escalation vulnerability. These have been responsibly reported to VMware, which has now provided updates to address them.

Key Vulnerability: Heap-Overflow in vCenter Server (CVE-2024-38812)

Vulnerability Description:

A critical heap-overflow vulnerability was discovered in vCenter Server, specifically in its implementation of the DCERPC protocol. The issue has been assigned CVE-2024-38812 and carries a CVSSv3 base score of 9.8, placing it in the Critical severity range.

Known Attack Vectors:

This vulnerability can be exploited by a malicious actor who has network access to the vCenter Server. By sending a specially crafted network packet, the attacker could trigger the heap-overflow, potentially leading to remote code execution (RCE) on the affected system.

Why You Should Patch Now

This vulnerability could allow attackers to gain control over your vCenter Server environment, putting your infrastructure at risk for unauthorized access, data breaches, or service disruptions. Given the widespread use of vCenter Server for managing virtual environments, this threat is extremely serious, especially for businesses relying on VMware for critical operations.

Patch Availability

The new patches, which can be found in the Response Matrix, have been made available for both the 8.0 U3, 8.0 U2 and 7.0 U3 versions of vCenter Server. Customers should apply the new patches immediately to ensure their systems are protected.

What to Do:

  1. Check your version: Identify if your vCenter Server version is affected.
  2. Apply the patches: Use the Response Matrix provided by VMware to download and install the necessary updates.
  3. Follow VMware’s best practices: Regularly update your systems, review security advisories, and apply patches as soon as they are released to minimize security risks.

Mount VMware-vCenter-Server-Appliance-8.0.3.00400-24322831-patch-FP.iso to VCSA VM. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:

# To stage the ISO:
software-packages stage --iso

# To see the staged content:
software-packages list --staged

# To install the staged rpms:
software-packages install --staged