VMware reveals critical vCenter hole it says ‘needs to be considered at once’ VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system – vCenter Server. The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin – even if you don’t run a VMware VSAN. That plugin lacks input …
As a linux user since 1996 count me in the group that really misses the .NET client. I run all my vCenter stuff in vmware workstation running windows anyway(Linux host OS). I held onto vCenter 5.5 for as long as I could.
Side note - am installing this on one of my 6.7 vCenter setups and the build number doesn't match, the ISO is VMware-vCenter-Server-Appliance-6.7.0.48000-18010531-patch-FP.iso and the actual build after installation is 18010599 (but it also says 48000 on the login screen) from the command "vpxd -v". Don't recall ever seeing a mismatch like this before myself.
yes sorry forgot to mention HA. vCenter HA value is questionable to me it has it's own share of issues and the failover times are absolutely terrible (for my simple setups probably takes a good 6 minutes, I understand why it takes that long due to design of the apps HA is sort of a bolt on thing instead of a design thing). Then there's the times when you have to destroy HA to upgrade with schema changes and stuff. But I hope it is better than nothing...sometimes I wonder though.
Yep, for me its around 4-5 minutes to get vcenter back up and running and responding ok. I have also wondered if its really worth running due to that. But its better than nothing if one node goes down for some reason.
Would have been nice if vcenter itself was aware of HA and wasnt really just a bolt on and could have actually been running, just not accepting anything as a minimum (better would be both running), But that probably would have needed a rewrite of all that legacy code.
The standalone client just worked. It was easy and did the job.
The Flash client was an exercise in total an utter stupidity... using something that should only ever be used to enhance parts of a website to do anything more was... inexcusable. The fact that it was only marginally less insecure than ActiveX was no excuse. No server or management system should ever have Flash enabled on it.
Our lives have been forever ruined by the HTML 5 client. We held on to esxi 6 as long as we could stand it.
Writing "a justifiably unloved C# client" makes me wonder who the author spoke to that didn't like the C# client. I haven't met a person yet that doesn't long to go back to it.
Complex products, lots of different people doing different bits at different qualities.
Likely passed validation at the time but now not up to muster.
When you accept that problems will be found you can work on mitigation’s ahead of time so hopefully any potential problems will have a smaller impact.
Seriously, why on earth is it the right thing to be running something so hideously complicated at the core of your service?
Complexity is the bane of security. Security is NOT optional.
This thing should be running an API server. Anything else is...well, two 9.8s so far this year...
Remember VMwaARE 1.0 . . . Web only. Then this client that client, API is the best. I run KVM for personal. VMware for work. Just move everything to AWS, what could go wrong?
*REALLY*! Is anyone actually exposing vcenter to the internet? Shame on you. Segment your networks, this is something that should be addressed, not a panic.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
