Plain Virtualization

If you have not read this blog from Broadcom by Hock Tan check it out . It helps to outline few things that has been confusion for many. First, the old perpetual licensing from any vendor including VMware, are sold in two parts. 1. perpetual license, 2. Support and Subscription (SnS) Part 1, basically let you own the license and do what you deem fit with it. And part 2, allows you to log a case for support assistance, and upgrade or downgrade the license and have patches and security release whenever its available as long the product is still supported. From the blog, it clarify once again that part 1 is true, customers are allow to use the perpetual license even if its out of support as long as they deem fit. " To ensure that customers whose maintenance and support contracts have expired and choose to not continue on one of our subscription offerings are able to use perpetual licenses in a safe and secure fashion, we are announcing free access to zero-day security patches for sup...

VMware has release important patches based on the advisory affecting all the hypervisor including ESXi and desktop hypervisor i.e. Workstation and Fusion which contain vulnerabilities that has a CVSSv3 of 7.1-9.3. Most of the listed are all USB related. Most of this might nto affect ESXi since most do not use USB controller on them but more towards the desktop hypervisors. Patches are released fro ESXi 7 and 8 and Workstation 17 and Fusion 13. And since this is a critical severity, VMware has release patches for out of support ESXi 6.5U3v and 6.7U3u for customers on extended support. This also include VCF 3.x that happens to run such version of ESXi.  I hope everyone should have upgraded as a best practice to at least ESXi 7 to avoid such issue where you are not on support and yet running critical workload. If you are still on ESXi 6.5U3v and ESXi 6.7U3u, I would assume you have extended support to tie you through. Do note that if you manage to get the patches from other source wi...

Early this morning 11th Dec 2021, SGT, VMware has release a security advisory announcement for  VMSA-2021-0028 regarding a critical vulnerability in Apache Log4j identified by CVE-2021-44228 with a CVSSv3 full score rating of 10. Immediately, VMware has worked on several of the affected products that are affected with workaround or patches. As this is a full score rating, we likely to see VMware update workaround at least and release patches in the next few days. Do check back the page to see more updates. Do note that this is not a vulnerability specific to VMware. This is an Apache vulnerability. It is affecting all solutions that uses Apache. So do check out your environment and ensure all solutions used in your environment that do contain Apache Log4j is worked on. A FAQ site is also release for those with questions regarding this. If you are not aware do subscribe to VMware Security Advisory.

VMSA-2020-0006 & CVE-2020-3952 Yes you read it correctly. There is a known vulnerability which may affect your vCenter Server running version 6.7 regardless is it on virtual appliance (vApp) or Windows. It affect new deployment as well as upgraded version from 6.x to 6.7. Here is the article to read more about it. Often to hear from some to wait for a while before patching. I like to bring out a point that software patches and security patches are two different subject. Security patches This affect an immediate vulnerability been address, it should be action on to avoid breaches and compromise. This is utmost important unless your organization does not deem security loophole been important to be addressed or your organization is claimed to be highly secured. Software patches This type of patches is to address bug fixes and some times to upgrade from and update or it can also be release of some features which was delayed, etc. Often, this may not impact many cu...

Recently, someone came to me and ask me below? This has been a question that I haven't been answering for awhile. How can I be alerted of new product releases or patches that are available for any VMware Products? This is actually part of your profile in my VMware portal . Log in to your my VMware portal . Under Profile Under Subscriptions You can check on the products of your interest to make aware of any patches and release update related information. When there is any, an email will be sent to you.

Recently many new channels has articles on the code leak and you can see the official announcement here .  VMware has also release ahead of patch cycle as well documented here . Many users asked about the concerns they have.  First and foremost, won't open source be also a concern if we were to use it as well? Every organization would have in place certain regulation and policy in their infrastructure be it hardening, patches to be up to date and firewalls, etc.  If these are been follow up and maintain compliance, is there much of a concern really? One article from Michael White, a VCDX makes really good sense and encourage you to have a read. This single file from ESX code dating to 2004 was leaked and I wonder who much vulnerabilities that wasn't discovered from VMware regular patches till now 8 years later.  If any of the environment are still vulnerable due to this leak this will be disastrous and it can only see how back dated the servers are not keep ...