Host-based backup of VMware vSphere VMs.
pmichelli
Expert
Posts: 106
Liked: 29 times
Joined: Mar 16, 2023 5:47 pm
Contact:

vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by pmichelli »

https://docs.vmware.com/en/VMware-vSphe ... index.html

I assume based on other upgrades that Veeam will say it needs to be tested by QA and to not update. Just checking to see if this is still valid or if we are ok to update?

Thanks,
Mildur
Product Manager
Posts: 10099
Liked: 2696 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by Mildur » 1 person likes this post

Hello Pmichelli

As always for "U" updates, please wait for official support announcement :)
We are already testing. Our commitment is to bring official support for new releases within 90 days of GA.
I expect it to be supported with our next release v12.2 (Q3 2024).

We will update the corresponding KB article and help center after testing has finished:
https://www.veeam.com/kb2443

Best,
Fabian
Product Management Analyst @ Veeam Software
Sturniolo
Veeam Software
Posts: 78
Liked: 48 times
Joined: Feb 19, 2019 3:08 pm
Full Name: Andy Sturniolo
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by Sturniolo »

Also please keep in mind that 8.0.3 has gone IA (Initial Availability). For more info on the release cycle.. check this link out.. https://blogs.vmware.com/vsphere/2023/0 ... olves.html
pmichelli
Expert
Posts: 106
Liked: 29 times
Joined: Mar 16, 2023 5:47 pm
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by pmichelli » 1 person likes this post

The release notes state it is GA , but regardless my cowboy days are behind me and now I wait for every vendor to say it's safe to upgrade. Thank you both for replying. I had a feeling this would be the situation (wait until we say its ok). Already some early adopters on Reddit seeing PSOD on the ESXi upgrades. I like my weekends more than I like being a early adopter these days :)

General Availability
This vCenter Server 8.0 Update 3 release is a General Availability (GA) designation
Sturniolo
Veeam Software
Posts: 78
Liked: 48 times
Joined: Feb 19, 2019 3:08 pm
Full Name: Andy Sturniolo
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by Sturniolo »

Ah yes vCenter is GA.. it appears that ESXi 8.0.3 is IA.

https://docs.vmware.com/en/VMware-vSphe ... index.html

I agree i always wait for support statements, rather than being a cowboy... especially in a production environment.
d.artzen
Enthusiast
Posts: 76
Liked: 32 times
Joined: Jan 14, 2022 9:16 am
Full Name: Daniel Artzen
Location: Germany
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by d.artzen »

I also agree it is better to wait and not only because of the support statement from Veeam (which is of course important). I have seen enough broken releases by VMware in the past few years even before they were bought by Broadcom (some will remember 7U3 being redacted by VMware because it made so many problems) and I don't need these problems in my environment. So normally I wait until at least the first letter patch to upgrade our systems. In the past they even released updates for the older versions, if it become known that there is a security problem in the older version. So I am quite comfortable with my "wait and see" approach.
tyler.jurgens
Veeam Legend
Posts: 418
Liked: 243 times
Joined: Apr 11, 2023 1:18 pm
Full Name: Tyler Jurgens
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by tyler.jurgens » 8 people like this post

The best thing to do is ultimately just patch to the latest version on day 1, then post in all corresponding forums for all software you use that its broken and you need them to fix it immediately because everything's down.
Tyler Jurgens
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
mcvosi
Enthusiast
Posts: 66
Liked: 8 times
Joined: Jun 14, 2011 1:55 pm
Full Name: Matthew Vaughan
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by mcvosi »

FWIW, I just upgraded my environment yesterday to 8 U3 from 7.03 -- no issues thus far.

*Additional note* hosts have not been upgraded yet -- they're still on 7.03.
Trelor
Enthusiast
Posts: 48
Liked: 16 times
Joined: Apr 27, 2015 6:02 pm
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by Trelor » 1 person likes this post

pmichelli wrote: Jun 25, 2024 1:39 pm https://docs.vmware.com/en/VMware-vSphe ... index.html

I assume based on other upgrades that Veeam will say it needs to be tested by QA and to not update. Just checking to see if this is still valid or if we are ok to update?

Thanks,
This question has been asked 100x over Update #U# is out does veeam support it. Every time the answer is the same wait for Veeam to announce it.
mcvosi wrote: Jun 26, 2024 3:06 pm FWIW, I just upgraded my environment yesterday to 8 U3 from 7.03 -- no issues thus far.

*Additional note* hosts have not been upgraded yet -- they're still on 7.03.
Until it doesn't :)
UyumsuzSami
Lurker
Posts: 1
Liked: never
Joined: Mar 04, 2023 2:34 am
Full Name: Mahmut Sami Özdemir
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by UyumsuzSami »

Hi,

Vmware Vcenter Version: 8.0.3 Build: 24022515
Esxi Host VMware ESXi, 8.0.3, 24022510
veeam Backup 12.1.1.56

I have been using it this way for 2-3 days and I have not received one error yet and it works without any problems.
np-mast
Service Provider
Posts: 7
Liked: never
Joined: Apr 13, 2023 6:00 pm
Full Name: Maximilian Stumpf
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by np-mast »

The fact that 8.0U3 is the only security fix available for customers running vSphere 8 to mitigate VMSA-2024-0013 makes this more time-critical then usual...
d.artzen
Enthusiast
Posts: 76
Liked: 32 times
Joined: Jan 14, 2022 9:16 am
Full Name: Daniel Artzen
Location: Germany
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by d.artzen » 2 people like this post

These vulnerabilities have a max score of 6.8, so they are not "critical". For one exists a workaround and for another an attacker needs to have local administrator rights on a guest VM to trigger it.
The Vcenter one needs network access to it, which should be restricted by firewall/acls to only those systems that really need it. So I personally don't see this as so time-critical.
ashleyw
Service Provider
Posts: 211
Liked: 46 times
Joined: Oct 28, 2010 10:55 pm
Full Name: Ashley Watson
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by ashleyw »

We upgraded vcentre a few weeks back and our esxi hosts earlier today. No issues so far and we've run multiple backup jobs.
For us it was easier to upgrade the infrastructure rather than to have a drawn out debate with out security team about the pros and cons of the update.
I did find it amusing though that on one page Broadcom said is was a 6.8 and then linked to another page which said it was a 9.8, so it looks like Broadcom are mixing their 6s for 9s!
I do agree though that as long as the hosts are on a secure internal network, that the potential risks are massively overstated, especially by those in security positions.
The hardest part though is having to navigate through the awful Broadcom portal to find the relevant updates and notes.
d.artzen
Enthusiast
Posts: 76
Liked: 32 times
Joined: Jan 14, 2022 9:16 am
Full Name: Daniel Artzen
Location: Germany
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by d.artzen »

A bit OT, but where do you see the link to a CVE with 9.8? On this page https://support.broadcom.com/web/ecx/su ... es/0/24505 I only find the three CVEs with 6.8, 6.8 and 5.3 and this is the VMSA that is mentioned in the release notes of 8U3.
Mildur
Product Manager
Posts: 10099
Liked: 2696 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by Mildur »

Please don't change this topic to a discussion about security risks :)
You can open a new topic if you want to discuss security vulnerabilities in vSphere. But let's keep this topic about the discussion when we officially support vSphere 8.0 U3.

While backup seems to not throw any error (according to some comments here), we still have to run test on all other features.
Sample: Backup, Replica, CDP, all restore options/methods, ...
Please wait for our official support if your organization relies on 100% tested backup and restore operations.

Best,
Fabian
Product Management Analyst @ Veeam Software
mkretzer
Veeam Legend
Posts: 1209
Liked: 418 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by mkretzer »

@Muldur sadly, its not that easy this time.
We have one security issue (CVE-2024-37086) that could bring down whole ESX environments. And there will be no fix for 8.0 U2 according to Support:
"Unfortunately, the only way to mitigate the vulnerability is to upgrade the environment to 8.0U3. There's no update that a new patch for 8.0U2 will be released for the vulnerability."
For us that means our whole ESX 8.0 upgrade project just stalled and we have to wait for Veeam to support this.

I do not remember that this has happened before like this.
tyler.jurgens
Veeam Legend
Posts: 418
Liked: 243 times
Joined: Apr 11, 2023 1:18 pm
Full Name: Tyler Jurgens
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by tyler.jurgens » 2 people like this post

I've never seen VMware *not* release a patch for an supported version before, so this looks like something else we received from the Broadcom acquisition.

Good thing there are workarounds:

Code: Select all

To workaround the issue, change the following ESXi advanced options:
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
Tyler Jurgens
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
mkretzer
Veeam Legend
Posts: 1209
Liked: 418 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by mkretzer »

And that will solve the denial of service issue? I think this might help with the other AD issue which for us is not so relevant...
RubinCompServ
Service Provider
Posts: 343
Liked: 82 times
Joined: Mar 16, 2015 4:00 pm
Full Name: David Rubin
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by RubinCompServ » 2 people like this post

tyler.jurgens wrote: Jun 26, 2024 2:53 pm The best thing to do is ultimately just patch to the latest version on day 1, then post in all corresponding forums for all software you use that its broken and you need them to fix it immediately because everything's down.
Funny that you say that, because I just upgraded my mission-critical environment ESXi to v9 (alpha) and I need to restore my critical VMs and VBR v12 won't see it! I can't believe that Veeam is distributing broken software!


(Yes, that was a joke.)
pirx
Veteran
Posts: 609
Liked: 89 times
Joined: Dec 20, 2015 6:24 pm
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by pirx » 1 person likes this post

mkretzer wrote: Jul 04, 2024 8:00 am And that will solve the denial of service issue? I think this might help with the other AD issue which for us is not so relevant...

Indeed, that is now a bad situation. The only way to avoid CVE-2024-37087 is update to 8.0U3. Which is not supported by Veeam.

3c. VMware vCenter denial-of-service vulnerability (CVE-2024-37087)
Description:
The vCenter Server contains a denial-of-service vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors:
A malicious actor with network access to vCenter Server may create a denial-of-service condition.

Resolution:
To remediate CVE-2024-37087 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

Workarounds:
None.
tyler.jurgens
Veeam Legend
Posts: 418
Liked: 243 times
Joined: Apr 11, 2023 1:18 pm
Full Name: Tyler Jurgens
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by tyler.jurgens » 3 people like this post

You can patch to ESXi 7.0 Update 3q to fix two of the three vulnerabilities listed here: https://support.broadcom.com/web/ecx/su ... es/0/24505 - which does fix the Denial of Service attack.

The other issue that has no patch planned for ESXi 7.x is fixed with this workaround here: https://knowledge.broadcom.com/external/article/369707/
Tyler Jurgens
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
mkretzer
Veeam Legend
Posts: 1209
Liked: 418 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by mkretzer »

If you already on ESX 8 (as we are because of newer EVC modes) you are out of luck......
mkretzer
Veeam Legend
Posts: 1209
Liked: 418 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by mkretzer »

Any news about this?
Mildur
Product Manager
Posts: 10099
Liked: 2696 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by Mildur » 3 people like this post

Our target for supporting vSphere 8 Update 3 is V12.2 (Q3 2024).

Best,
Fabian
Product Management Analyst @ Veeam Software
OetiSaSwiss
Lurker
Posts: 1
Liked: 1 time
Joined: Jul 31, 2024 11:39 am
Full Name: Oetiker Sascha
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by OetiSaSwiss » 1 person likes this post

Like other users already stated here, its a security issue on vsphere 8.0 environement, so we had to upgrade to 8.03. so please VEEAM Quality-proof-departement - give this update a boost :-)
pmichelli
Expert
Posts: 106
Liked: 29 times
Joined: Mar 16, 2023 5:47 pm
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by pmichelli » 6 people like this post

The security problem only applies if you're foolish enough to join ESXi and vCenter to AD. Remove them from the domain and this CVE does not apply. It's also best security practice
JeroenL
Influencer
Posts: 21
Liked: 15 times
Joined: Feb 03, 2020 2:20 pm
Full Name: Jeroen Leeflang
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by JeroenL » 1 person likes this post

Or implement the advanced config updates and ESXi will no longer look at AD for the "ESX Admins" group.

The second security related item require local administrator rights to a VM with a snapshot attached. If you follow snap-shot best practices these will no longer exist than max 2 days. The worst this issue can cause is a vCenter DoS. Although this can also cause serious issues, it does not provide access with administrative permissions. The VMs running on the ESXi hosts should not be affected by a malfunctioning vCenter.

The third item requires network access to vCenter.
Here too, follow security best-practices! Create multiple security zone's (separated networks) to allow only required devices from connecting to your vulnerable management interfaces. Keep production and management as separated as possible and these issues have far less impact than they would have in non-segmented networks.
EdFromOhio
Novice
Posts: 7
Liked: 3 times
Joined: May 23, 2018 6:35 pm
Full Name: Ed Ellks
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by EdFromOhio »

Mildur wrote: Jul 29, 2024 8:58 am Our target for supporting vSphere 8 Update 3 is V12.2 (Q3 2024).
To more directly answer your question, it does give a warning that Veeam has not been tested with this version. But in practice, we haven't noticed any issues.
Gostev
Chief Product Officer
Posts: 31968
Liked: 7438 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by Gostev » 1 person likes this post

Update: vSphere 8 U3 testing is nearing its completion and barring any surprises with a few remaining tests, we now plan to declare official compatibility-level U3 support for with the current version 12.1.2. There will however be at least one known issue documented due to a change around vCLS VMs with U3, this will be addressed in version 12.2 for full vSphere 8 U3 support.

We will update this topic once QA gives a green light for 12.1.2
rdixon01
Enthusiast
Posts: 26
Liked: 2 times
Joined: Oct 09, 2013 2:30 pm
Full Name: Rick
Contact:

Re: vCenter 8.0 Update 3 is out. Does this need QA approval?

Post by rdixon01 »

When is Veeam B&R 12.2 expected to be released?
Post Reply

Who is online

Users browsing this forum: Semrush [Bot] and 32 guests