HPE SimpliVity
cancel
Showing results for 
Search instead for 
Did you mean: 

Critical advisory from VMWare: VMSA-2021-0002

 
SOLVED
Go to solution
Brian_Galante
Advisor

Critical advisory from VMWare: VMSA-2021-0002

Good day fellow Simpliviteers!

This advisory calls for installing VCSA and ESX versions greater than what is listed in the compatability matrix.

Will there be a bulletin forthcoming from HPE to address this on Simplivity Servers soon? When should we expect it? My security folks are already asking...

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

I am running Simplivity version 4.0.1 U1, VCSA Appliance 6.7 U3F (build 15976728) and ESX ESXi 6.7 P01 (build 15160138)

8 REPLIES 8
Ryan_Hardy
Occasional Advisor

Re: Critical advisory from VMWare: VMSA-2021-0002

Actually it is very simple. If you rely on latest VMware patches (within reasonable time at least), don't use SimpliVity at all. This is what I have learned over the past few years using this product. It's really sad, because the product itself wouldn't be that bad. But in times like these I can't imagine any halfway decent IT professional would knowingly use hypervisors with outdated software and firmware at free will. I for sure do not.

Rajini_Saini
HPE Pro

Re: Critical advisory from VMWare: VMSA-2021-0002

Hi @Brian_Galante,

Good day to you too. Thank you for choosing HPE.
The next release of the SimpliVity version 4.1.0 with its supported latest vCenter and ESXi version will be available soon [you should receive notification / advisory emails for same with date of release ]
Hence we would suggest waiting for few more days for an update from HPE and I believe these security update patches/versions should be taken care of in the upcoming release.

regards,
Rajini Saini

 


I work for HPE

Accept or Kudo

Ryan_Hardy
Occasional Advisor

Re: Critical advisory from VMWare: VMSA-2021-0002

@Rajini_Saini While it is nice to see that you are excited about the upcoming update, you can't simply ignore the fact that with EVERY update HPE is steps behind. Even if they may support the latest VMware patches with 4.1.0 (I'd be surprised given the history), I can guarantee all of us that following that we will have to wait several months for new releases or even just new supported VMware minor versions. It's just how it is and how it was.

gustenar
HPE Pro
Solution

Re: Critical advisory from VMWare: VMSA-2021-0002

Hello @Brian_Galante @Ryan_Hardy 

Thank you for using HPE Simplivity Forums. 

I wanted to add the following. Based on the HPE Simplivity interoperability guide:

"A customer may upgrade vCenter to an unlisted patch version only when the vCenter major and minor versions are already listed in this document. Unlisted major or minor version updates are not supported.  

  • For example, if vCenter Server 6.5 Update 3e is the latest supported 6.5 version in this document, and VMware releases patch version 6.5 Update 3g to fix a security issue, it is acceptable to upgrade to Update 3g before HPE updates the document.However, if VMware releases a new minor version 6.5 Update 4 and HPE has not yet added Update 4 to this document, a vCenter upgrade to 6.5 Update 4 would not be supported.
  • Customer must accept that new/unlisted patch versions have not yet been qualified by HPE SimpliVity."

Based on the above it would be acceptable to install the security patch. 

Hope this helps. 

I am an HPE employee
Accept or Kudo
Brian_Galante
Advisor

Re: Critical advisory from VMWare: VMSA-2021-0002

There are also some workarounds listed in the advisory. 

But I agree with what you're saying, the new Simplivity version will be out in a week or two with support for Vsphere 7, but i highly doubt that will include the patches for this vulnerability as they came out just a couple days ago.

 

Brian_Galante
Advisor

Re: Critical advisory from VMWare: VMSA-2021-0002

Thank you very much!

 

Ryan_Hardy
Occasional Advisor

Re: Critical advisory from VMWare: VMSA-2021-0002

Yes, recently we have been allowed to install minor vCenter patches (finally), but this only regards vCenter, not ESXi. My main concern is ESXi though, as this is where security matters most.

fahlis
Frequent Advisor

Re: Critical advisory from VMWare: VMSA-2021-0002

HPE

You need to step up this game!

We really need to mitigate this and other upcoming ESXi flaws without having to wait for the next release of OmniStack everytime....and even then it might not be included depending on the release date.

Can't you just test it and release it as you did previously with his one ?
HPE SimpliVity - Addressing VMware Vulnerability CVE-2020-3992

This has always been and always will be a big issue for customers who wan't to / need to keep their vCenters/Hosts continously patched. For some of my customers it has been a showstopper for chosing SimpliVity.