Exploring container security: Day one Kubernetes decisions
November 27, 2019
How MedusaLocker Ransomware Aggressively Targets Remote Hosts
November 28, 2019
We are excited to announce a number of updates to VMware Skyline. Skyline is VMware’s proactive support service, which identifies potential issues in your environment, and provides recommendations for how to avoid each potential issue, before it occurs. The following updates are made available via a combination of Skyline Collector version 2.3 and updates to the Skyline Advisor service, along with new integration with Dell EMC SupportAssist Enterprise.
Enhanced Security Policy
We have enhanced the process of granting user access to Skyline Advisor. Now, an Organization Owner must explicitly grant user’s access to Skyline Advisor. If your access to Skyline Advisor was removed, contact an Organization Owner within your Cloud Services Organization, and request they grant you access to the Skyline Advisor service role. The Organization Owner is usually the individual who originally created your Cloud Services Organization for Skyline.
We have created the KB Article 76319 to help you resolve the loss of access to Skyline Advisor. If you have any trouble with re-gaining access to Skyline Advisor, please start a discussion within the Skyline Community. The Skyline Community is moderated by a team of VMware Technical Support Engineers. If you are a Premier Support customer, contact your Support Account Manager for assistance.
Integrate Dell EMC SupportAssist for Enterprise with Skyline
Thousands of customers leverage Dell EMC SupportAssist Enterprise (SAE) to proactively support Dell hardware. Dell EMC SAE is Dell’s proactive support technology for hardware, that is included in customer support entitlements. Dell EMC SAE and Skyline are joining forces, enabling a best-in-class proactive support experience for customers utilizing Dell PowerEdge servers 12G and above to operate their VMware products and solutions on.
Customers who use Dell EMC SAE to proactively support their Dell PowerEdge server hardware will now see a notification providing them information about Skyline, with a call to action to download and install Skyline. Similarly, customers using Skyline will now see a notification within Skyline Advisor, with a call to action to download and install Dell EMC SAE.
Before we continue, there is a caveat. As noted in the first paragraph, this integration is only available to customers using Dell PowerEdge servers 12G and above. The Integrations tab will only appear within Skyline Advisor if you are using Dell PowerEdge servers 12G and above. If you are using an older version of Dell PowerEdge servers or another vendor server hardware, the Integrations tab within Skyline Advisor will not be visible.
Let’s continue…
Within Skyline Advisor, a new Integrations tab may be available to you, which allows you to Opt-In to this integration. After Opting-In, Skyline Advisor will display which ESXi hosts within your environment have Dell EMC SAE enable for them, or not. This notification will appear within Inventory view of Skyline Advisor, in the Solution Tags column. The SupportAssist notification will only appear for Dell PowerEdge servers 12G and above running ESXi.
The following is required in order to enable the Dell EMC SAE and VMware Skyline integration:
- Dell EMC SupportAssist for Enterprise v4.0.5
- Skyline Collector v2.2 or above. We recommend Skyline Collector version 2.3.
Upload Support Log Bundles for Horizon Connection Servers
Customers who have added Horizon to Skyline, for potential issue identification, will now be able to upload a support log bundle to VMware Global Support Services (GSS), using Skyline Log Assist. A Horizon Connection Server that has been added to a Skyline Collector will now appear in the Inventory Tree, of the Initiate Log Transfer page.
The following is required in order to upload a Horizon Connection Server support log bundle to VMware GSS, using Skyline Log Assist:
Also, ensure the account used to add your Horizon Connection Server to the Skyline Collector has the necessary permissions to initiate a log transfer request. We have updated KB Article 59661 with the required permissions, and the steps to take within the Horizon 7 Administration console to create a role specific for Skyline.
Collector Health
The Collector Details page within Skyline Advisor has been updated to include both Collector, and configured product health. Now you can view the health of all Skyline Collectors registered with your Cloud Services Organization in one-place. Access the Collector Health page by clicking on Show Collector Details, located on the Skyline Advisor Dashboard page.
For each Skyline Collector, the products configured for that Skyline Collector are displayed. Now, we are also displaying the health for each of the configured products. If there is an issue with a configured product, such as account disabled or password expiration, the status for the configured product will change to Communication Issues (red, instead of green).
The Collector Health state, and configured product state, are independent of each other. What does that mean? It means that the Collector may be in a Healthy state, but all configured products are healthy (Configured). In this example below, the Skyline Collector Skyline-HOL-Horzion is in a Failed to Collect Data state. However, the configured Horizon Connection Server is in a healthy (Configured) state. In this scenario, there is an issue with the Skyline Collector, such as it is unable to send the product usage data collected to VMware. Perhaps a firewall policy was updated that is preventing outbound communication. There is not an issue with the configured Horizon Connection Server, as it operating correctly (sending product usage data to the Skyline Collector).
Remember, there are two types of data paths, one from the Skyline Collector to VMware, and the other from the products configured to the Skyline Collector. This is why there are two health statuses, and why they are independent of each other.
Federated Authentication to Skyline Advisor
Today, customers use their My VMware or VMware account to access Skyline Advisor, via VMware Cloud Services. Enterprises using Cloud Services can set up federation with their corporate domain accounts. This allows customers to use the same account they use to access their corporate IT systems, to also access Cloud Services. This helps simplify the control of access to both corporate IT systems, and Cloud Services.
To set up Federated Identity Management to Cloud Services, and Skyline Advisor, follow the directions available in the VMware Cloud Services Product Documentation. After setting up and configuring federated identity management, remember to add the Skyline Advisor service role to the corporate domain accounts added to Cloud Services.
Skyline Collector Active Directory Improvement
In the past, customers had the ability to enable Active Directory authentication for the Skyline Collector. However, it required that anonymous bind be configured for Active Directory, which is not recommended. We are happy to announce that anonymous bind is no-longer required to enable Active Directory authentication for the Skyline Collector.
Now, customers can enable Active Directory users and groups to access the Skyline Collector user interface, without the anonymous bind requirement. Customers will use an account to bind Active Directory to the Skyline Collector. Note, the account used to bind Active Directory to the Skyline Collector is not stored by the Collector. Customers will be required to provide an account each time they want to allow a new user, or group, access to the Skyline Collector user interface.
New Skyline Findings & Recommendations
We saved the best for last. Ten new findings & recommendations have been added to Skyline. If applicable to your environment, you will see these new findings & recommendations appear within the Findings & Recommendations tab of Skyline Advisor. And security individuals, or teams, will be happy to see that we have added a check for the TSX Asynchronous Abort (TAA) Speculative Execution and Machine Check Error on Page Size Change (MCEPSC) Denial-of-service vulnerabilities.
VLAN Tasgging issues with Intel X710 network adapter
Finding ID: vSphere-VLANTaggingIntelX710-KB#2149781 Article: https://kb.vmware.com/s/article/2149781
Host goes to non-responsive state – “IPMI SEL unavailable”
Finding ID: vSphere-hostnonresponsive-KB#70973 Article: https://kb.vmware.com/s/article/70973
Networking issues with dvSwitch in ESXi 6.0: Unsupported address family
Finding ID: vSphere-UnsupportAddressFamily-KB#2117308 Article: https://kb.vmware.com/s/article/2117308
ESXi 6.7 U2/U3 unresponsive when running Dell OpenManage Server Administrator 9.3.0
Finding ID: vSphere-UnresponsiveOpenManage93-KB#74696 Article: https://kb.vmware.com/s/article/74696
ESXi 6.0 Update 2 host fails with a PSOD error mentioning Vmxnet3VMKDevRxWithLock
Finding ID: vSphere-PSODVmxnet3VMKDevRxWithLock-KB#2144968 Article: https://kb.vmware.com/s/article/2144968
backtrace SCSI_DeviceClusteringClearState” PSOD in ESXi 6.5 Update 2
Finding ID: vSphere-PSODScsiDevice-KB#56492 Article: https://kb.vmware.com/s/article/56492
vSphere 6.7 HTML5 client cannot query more than 200 principals
Finding ID: vSphere-HTML5ClientMaximumObjects-KB#55617 Article: https://kb.vmware.com/s/article/55617
VMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability (CVE-2019-5536)
Finding ID: vSphere-ESXiOS5536-VMSA#20190019 Article: https://www.vmware.com/security/advisories/VMSA-2019-0019.html
Hypervisor-Specific Mitigations for TSX Asynchronous Abort (TAA) Speculative-Execution vulnerability (CVE-2019-11135)
Finding ID: vSphere-CVE-2019-11135-VMSA#20190020 Article: https://www.vmware.com/security/advisories/VMSA-2019-0020.html
Hypervisor-Specific Mitigations for Machine Check Error on Page Size Change (MCEPSC) Denial-of-Service vulnerability (CVE-2018-12207)
Finding ID: vSphere-CVE-2018-12207-VMSA#20190020 Article: https://www.vmware.com/security/advisories/VMSA-2019-0020.html & https://kb.vmware.com/s/article/59139. Important: Additional configuration is required after updating to enable mitigations, these mitigations may have a performance impact and are not enabled by default. Please review VMSA-2019-0020 section 3a. for more information.
Summary
Just a reminder, we always recommend that you utilize the most recent version of the Skyline Collector. If Auto Upgrade is enabled for your Skyline Collector, your Collector will update on the day and time that you have specified. Please allow for 7-10 days for the automatic upgrade to apply. If you have not enabled Auto Upgrade, you can upgrade your Skyline Collector using the virtual appliance management interface (VAMI). For more details, please see the Update Skyline Collector within the VMware Skyline documentation.
For more information about today’s updates, please see the following documentation:
