VMware

vCloud Networking and Security 5.5.3.1 Release Notes

vCloud Networking and Security 5.5.3.1 | 03 OCT 2014 | Build 2175697

What's in the Release Notes

The release notes cover the following topics:

What's New

The vCloud Networking and Security 5.5.3.1 release contains patches for all vCloud Networking and Security appliances. These patches address the BASH Shellshock security vulnerability. VMware recommends that you upgrade to this release.

You can upgrade to this release from versions 5.1.x, 5.1.4.x, and 5.5.x.

System Requirements and Installation

For information about system requirements and installation or upgrade instructions, see the vShield Installation and Upgrade Guide.

Known Issues

The known issues are grouped as follows:

Upgrade Issues

vShield Endpoint upgrade or uninstall fails with error vShield Endpoint installation encountered error while uninstalling vib:Internal server error
vShield Endpoint upgrade/uninstall fails with error. Uninstallation of vib from ESXi command line also fails with the following error:
[InstallationError]
Error in running rm /tardisks/epsec-mu.v00:
Return code: 1
Output: rm: can't remove '/tardisks/epsec-mu.v00': Device or resource busy
It is not safe to continue. Please reboot the host immediately to discard the unfinished update. Please refer to the log file for more details.

Workaround: Follow the steps below.

  1. Log into ESXi cli.
  2. In the /bootbank/boot.cfg file, move the entry epsec-mu.v00 after the entry sb.v00.
    The module entries in the boot.cfg have --- delimiters. So after the change, the entries should look like sb.v00 --- epsec-mu.v00.
  3. Save the /bootbank/boot.cfg file.
  4. Put the host into maintenance mode and then reboot it from the vCenter Web Client.
  5. Install/upgrade vShield Endpoint.

General Issues

If a vNIC is included in a security group that is created on a network and the associated virtual machine is moved to another network, the security group cannot be edited through the UI and the vNIC continues to be a member of the security group
Workaround: Remove the vNIC from the security group using the following REST call
DELETE https:/<vsm-ip>/api/2.0/services/securitygroup/<securityGroupId>/members/<vNicId>
You can then edit the security group on the UI.

Preparing cluster for VXLAN causes ESXi to report loss of network connectivity on vSwitch
Preparing a cluster for VXLAN causes a temporary loss of connectivity when the NIC driver is uninstalled and reinstalled to enable RSS on the VXLAN-enabled cluster. This issue occurs only when using Intel ixgpbe drivers.
Workaround: None.

Cannot login to vShield Manager if user name includes CJK or High-ascii characters
Workaround: Set the browser encoding to UTF-8.

SVMs deployment on physical ESXi-5.x fails if nested ESX support on physical host is enabled
If nested ESX support on physical host is enabled, a virtualised Intel VT/EPT error is displayed for vShield SVM.
Workaround: None.

Data is not backed up if specified backup directory does not exist
If you specify an invalid directory while backing up vShield Manager data, the backup file is not created.
Workaround: Ensure that the backup directory exists on the FTP server.

vShield Manager Issues

When configuring Lookup Service on vShield Manager, cannot use backslash between domain and user name
Workaround: Use @ instead of backslash between user name and domain. For example, type user@domain instead of domain\user.

"Invalid Data Format" error displayed in spite of ports being entered in correct format
While adding/creating a service, you may get an "Invalid Data Format" error in spite of ports being entered in correct format. This may happen when number of ports entered exceeds the maximum limit of 15 ports.
Workaround: If the service has more than 15 ports, create multiple services.

User must logout to view modified or added role
When a user adds or modifies his/her role while logged into a session, the session does not reflect the role changes.
Workaround: Log out and then log back in to view updated role assignments.

vShield App Issues

Cannot add firewall rule from Flow Monitoring table after reverting to an older firewall configuration
After you load an older firewall configuration, you cannot add a rule from the Flow Monitoring table. This is because the rule for which the flow was detected may no longer be part of the current firewall configuration.
Workaround: None.

If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See Update link not available during vShield App upgrade.

Firewall rules with source/destination as virtual wire does not get applied if new VM is added to existing virtual wire
If pre-configured firewall rules contains virtual wire in source/destination, those rules do not get applied to new VM added to that virtual wire
Workaround: After adding the new VM to the virtual wire, republish the firewall configuration on that virtual wire.

vShield Edge Issues

Cannot modify an SSL VPN-Plus installation package
Editing an SSL VPN-Plus installation package does not apply changes to the package.
Workaround: Follow the steps below:

  1. Delete the installation package instead of editing it and create a new installation package with modified parameters.
  2. If you have an SSL VPN client on your computer, delete it.
  3. Reboot the computer.
  4. Install new installation package.

Host Name for DHCP binding cannot include CJK or high-ASCII strings
If the Host Name field in the DHCP Bindings window includes CJK or high-ASCII strings, publishing the binding results in an error.
Workaround: Enter ASCII characters in the Host Name field.

Cannot create CSR/Certificate if vShield Manager is upgraded to 5.1.3 and Edge is still on 5.0.2
When vShield Manager is upgraded to 5.1.3 and Edge is of a lower version, you cannot create a CSR of size 512/1024 bit
Workaround: None.

Service Insertion Issues

Unable to bind service profile to network
Cannot bind a service profile to any available network.
Workaround: Reboot vShield Manager.

Data Security Issues

While specifying file filters for Data Security scan, cannot select Last Modified Date from calendar
While trying to select the Before date for running a Data Security scan, the calendar is grayed out.
Workaround: In your browser, change Language Preferences to en-US and then select the date in the Before field.

Service Composer Issues

Security policy name can include a total of 229 characters
Workaround: None.

Resolved Issues

The following issues have been resolved in the 5.5.3.1 release.

  • vCloud Networking and Security appliances vulnerable to BASH Shellshock security vulnerability
    This patch updates Bash libraries in the vCloud Networking and Security appliances to resolve multiple critical security issues, commonly referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 to these issues.
    To address this vulnerability, you must upgrade all vCNS components. To upgrade, follow the instructions in the vShield Installation and Upgrade Guide.

The following issue has been resolved in the 5.5.3 release.

  • Password change for SSL user does not work
    If you have vShield Manager 5.5.1 and vShield Edge 5.5.0 in your environment, the Change password on next login option does not change the password for a user.