Update 2015-10-06 – VMware just released a new update named ESXi 5.5 Update 3a (build number 3116895), which fixes the snapshot consolidation bug.

More info at http://kb.vmware.com/kb/2133825 and download at https://my.vmware.com/group/vmware/patch#search (or using VUM).

—————————————————————————

VMware released a new security advisory on Thursday warning about three separate security vulnerabilities affecting ESXi and/or vCenter Server (http://www.vmware.com/security/advisories/VMSA-2015-0007.html)

All three vulnerabilities are remotely exploitable over the network (or at least so it seems judging by the very brief description in the advisory). This means that they need to be taken very seriously, especially in environments where the ESXi hosts and/or the vCenter Servers are reachable over the network from other servers or client machines.

Those of you who don’t have segmented networks with restricted access to ESXi hosts and vCenter Servers run a much greater risk of getting hit by hackers or malware exploiting these security flaws, and thus need to get the patches in place much quicker. (I will assume here that nobody has their core vSphere environment reachable from the internet in any way, but if you do, please give us a call and we’ll help you redesign it in a more secure way.)


The first vulnerability affects all ESXi 5.x versions (not ESXi 6.x), and the patch that needs to be installed is either only the security patch itself (see the advisory for details) or the corresponding “Update Bundle”, which is U3 for 5.5, U3b for 5.1 and U3e for 5.0.

The problem with ESXi 5.5 U3 is that it also contains a newly discovered problem where you run the risk of having VMs crash during snapshot consolidation. For this reason we recommend that customers running ESXi 5.5 only apply the security patch (ESXi550-201509101), and not the entire Update Bundle U3.

At the time of writing we don’t have any confirmation whether the snapshot bug is present in the security patch build 3029837 or if it’s only present in the U3 build 3029944. Keep an eye on this blog post for details, as they are released.


The second security vulnerability affects vCenter Server and is also a remotely exploitable flaw, which makes it urgent to patch (depending partially on your network segmentation setup). Upgrade your vCenter Servers to 6.0 U1, 5.5 U3 (no bug in this one), 5.1 U3b or 5.0 U3e, respectively.


The third vulnerability affects vCenter Server and allows a remote denial of service, and you might already be patched against it, since it’s fixed from the following versions: 5.5 U2, 5.1 U3, 5.0 U3e. (6.0 is not affected).


As always, we recommend that you test your patches in a part of your environment for a period of time before rolling them out to the entire environment, just to make sure there are no other bugs affecting your infrastructure.

If you have any questions around patching or need help redesigning your environment or processes to mitigate these security threats in the future, don’t hesitate to contact us.

Happy patching!