vCloud Networking and Security 5.5.4 Release Notes

vCloud Networking and Security 5.5.4 | 9 APRIL 2015 | Build 2504419

What's in the Release Notes

The release notes cover the following topics:

What's New

The vCloud Networking and Security 5.5.4 release contains improvements for all vCloud Networking and Security appliances. VMware recommends that you upgrade to this release.

POODLE Vulnerability Fixes

vCloud Networking and Security 5.5.4 includes updates to OpenSSL to address CVE-2014-3566 (the SSLv3 vulnerability known as "POODLE") and addresses several other CVEs. SSLV3 was not disabled for any internal network traffic, but administrators can disable SSLV3 on vShield Edge using an API. For more information, see the Resolved Issues section of this document.

VMware has chosen to defer the removal of SSLV3 on the API interface to allow customers and partners to test the change. We have seen API clients break in some cases where SSLV3 was hard-coded as the protocol. By deferring this change, we hope to keep customer deployments (and associated security infrastructure) up and running if accompanying changes are necessary.

Instructions for disabling SSLV3 support in browsers are available in published articles.

Compatibility with vSphere 6.0

vCloud Networking and Security 5.5.4 is compatible with vSphere 6.0. However, the new vSphere features introduced in vSphere 6.0 have not been tested with vCloud Networking and Security. These new vSphere features should not be used in environments where vCloud Networking and Security is installed as they are unsupported. For a list of specific vCloud Networking and Security limitations with respect to vSphere 6.0, see the VMware Knowledge Base article 2109120.

Upgrade Paths

You can upgrade to this release from versions 5.1.x and 5.5.x.

System Requirements and Installation

For information about system requirements and installation or upgrade instructions, see the vShield Installation and Upgrade Guide.

Known Issues

The known issues are grouped as follows:

Upgrade Issues

Issue 1375343: SSO cannot be reconfigured after upgrade
When the SSO server configured on vShield Manager is the one native on vCenter server, you cannot reconfigure SSO settings on vShield Manager after vCenter Server is upgraded to version 6.0 and vShield Manager is upgraded to version 5.5.4.
Workaround: None.

Issue 1369782: L2VPN tunnel breaks after upgrading L2VPN server to 5.5.4
If you upgrade vShield Manager and L2VPN server to 5.5.4 without upgrading L2VPN client, the L2VPN tunnel breaks. L2VPN clients below version 5.5.4 used to connect over SSLv2 or SSLv3, but these protocols are not supported in 5.5.4.
Workaround: Upgrade the L2VPN client to 5.5.4. The client can then connect to the server using the TLS protocol.

Issue 1396592: Versioned deployment spec needs to be updated to 6.0.x if using vCenter Server 6.0 and ESX 6.0.
Partners that have NetX solutions registered with vCloud networking and Security must update registration to include a VersionedDeploymentSpec for 6.0.x with the corresponding OVF.
Workaround: If the base configuration is 5.5.x with vSphere 5.5 and if the infrastructure is upgraded before upgrading vCloud networking and Security, follow the steps below:

  1. Upgrade vSphere from 5.5 to 6.0.
  2. Add versioned deployment specification for 6.0.x using the following API call:
    POST https://<vCNS-IP>/api/2.0/si/service/<service-id>/servicedeploymentspec/versioneddeploymentspec
  3. Update service by using the following REST call
    POST https://<vsm-ip>/api/2.0/si/service/config?action=update
  4. Resolve the EAM alarm by following the steps below:
    1. Click Home on vSphere Web Client.
    2. Click Administration.
    3. In Solution, select vCenter Server Extension.
    4. Click vSphere ESX Agent Manager and then click the Manage tab.
    5. On failed agency status, right click and select "Resolve All Issues".

Issue 1291731: vShield Endpoint upgrade or uninstall fails with error vShield Endpoint installation encountered error while uninstalling vib:Internal server error
vShield Endpoint upgrade/uninstall fails with error. Uninstallation of vib from ESXi command line also fails with the following error:

 Error in running rm /tardisks/epsec-mu.v00:
 Return code: 1
 Output: rm: cannot remove '/tardisks/epsec-mu.v00': Device or resource busy

 It is not safe to continue. Please reboot the host immediately to
 discard the unfinished update. Please refer to the log file for more
Workaround: Follow the steps below:
  1. Log into ESXi cli.
  2. In the /bootbank/boot.cfg file, move the entry epsec-mu.v00 after the entry sb.v00.
    The module entries in the boot.cfg have --- delimiters. So after the change, the entries should look like sb.v00 --- epsec-mu.v00.
  3. Save the /bootbank/boot.cfg file.
  4. Put the host into maintenance mode and then reboot it from the vCenter Server web client.
  5. Install/upgrade vShield Endpoint.

General Issues

Issue 1411125: Unable to power on guest virtual machine
When you power on a guest virtual machine, the error "All required agent virtual machines are not currently deployed" may be displayed.
Workaround: Follow the steps below:

  1. Click Home on vSphere Web Client.
  2. Click Administration.
  3. In Solution, select vCenter Server Extension.
  4. Click vSphere ESX Agent Manager and then click the Manage tab.
  5. Click Resolve.

Issue 1341573: User IDs longer than 7 East Asian characters or longer than 10 European characters cannot login to SSL VPN portal
If a user ID's length is greater than 63 characters (for ASCII or non-ASCII characters) when creating the SSL VPN Plus user, an error "user ID length exceeded the maximum character limit" will be displayed. User IDs of less than 63 characters will be accepted and user will be created.
Workaround: VMware recommends creating SSL VPN Plus user IDs with ASCII characters only. If your user IDs must include non-ASCII characters, please make sure each user name contains no more than 7 East Asian characters or no more than 10 Latin characters with diacritical marks.

Issue 1311302: If a vNIC is included in a security group that is connected to a network and the associated virtual machine is moved to another network, the security group cannot be edited through the UI and the vNIC continues to be a member of the security group
Workaround: Remove the vNIC from the security group using the following REST call
DELETE https://<vsm-ip>/api/2.0/services/securitygroup/<securityGroupId>/members/<vNicId>
You can then edit the security group on the UI.

Issue 1303665: Preparing cluster for VXLAN causes ESXi to report loss of network connectivity on vSwitch
Preparing a cluster for VXLAN causes a temporary loss of connectivity when the NIC driver is uninstalled and reinstalled to enable RSS on the VXLAN-enabled cluster. This issue occurs only when using Intel ixgbe drivers.
Workaround: None.

Issue 1056970: Cannot login to vShield Manager if user name includes CJK or High-ASCII characters
Workaround: Set the browser encoding to UTF-8.

vShield Manager Issues

Issue 1405582 / 1310034: SSL VPN Remote user won't be able to change his AD User credential
When SSL VPN is authenticated through Active Directory, you can use this domain credential to login to SSL VPN to access a corporate network (private network). When the user is located remotely, he won't be able to change the AD password.
Workaround: There is no specific work around in SSL VPN configuration. The administrator should provide some external utility to change the AD password.

Issue 1303278: The Grouping page loads slowly when there are more than 1100 MAC Sets and may show overlapping row entries
If there are too many MAC Sets (for example, 1100+) on vShield Manager, the Grouping page loads slowly and the MAC Set row entries overlap with other entries, making them unreadable. Adding a new MAC Set takes a longer time.
Workaround: Keep the number of MAC Set entries in a security group below 1100.

Issue 1301688: When configuring Lookup Service on NSX Manager, cannot use backslash between domain and user name
Workaround: Use @ instead of backslash between user name and domain. For example, type user@domain instead of domain\user.

Issue 1161237: "Invalid Data Format" error displayed when creating a service
While adding/creating a service, you may get an "Invalid Data Format" error if you enter more than 15 ports to the service.
Workaround: If the service has more than 15 ports, create multiple services.

Issue 1161214: User must logout to view modified or added role
When a user adds or modifies his/her role while logged into a session, the session does not reflect the role changes.
Workaround: Log out and then log back in to view updated role assignments.

vShield App Issues

Issue 1197810: Cannot add firewall rule from Flow Monitoring table after reverting to an older firewall configuration
After you load an older firewall configuration, you cannot add a rule from the Flow Monitoring table. This is because the rule for which the flow was detected may no longer be part of the current firewall configuration.
Workaround: None.

Issue 967277: If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See the VMware Knowledge Base article 'Update link not available during vShield App upgrade'.

Issue 1089671: Firewall rules with source/destination as virtual wire does not get applied if new VM is added to existing virtual wire
If pre-configured firewall rules contains virtual wire in source/destination, those rules do not get applied to new VM added to that virtual wire.
Workaround: After adding the new VM to the virtual wire, republish the firewall configuration on that virtual wire.

vShield Edge Issues

Issue 1405586 / 1311273: SSL VPN portal login screen is blank.
One of the javascript files used by SSL VPN portal gets corrupted on vShield Edge. This causes portal page rendering to fail.
Workaround: Re-deploy the vShield Edge when this issue is seen.

Issue 1165472: Cannot create CSR/Certificate if vShield Manager is upgraded to 5.1.3 and Edge is still on 5.0.2
When vShield Manager is upgraded to 5.1.3 and Edge is of a lower version, you cannot create a CSR of size 512/1024 bit.
Workaround: None.

Service Insertion Issues

Issue 1062057: Unable to bind service profile to network
Cannot bind a service profile to any available network.
Workaround: Reboot vShield Manager.

Data Security Issues

Issue 1291748: While specifying file filters for Data Security scan, cannot select Last Modified Date from calendar
While trying to select the Before date for running a Data Security scan, the calendar is grayed out.
Workaround: In your browser, change Language Preferences to en-US and then select the date in the Before field.

Resolved Issues

The following issues have been resolved in the 5.5.4 release:

Issue 1343847 / 1343842 / 1362763: Fixes to address CVE-2014-3566 "POODLE" vulnerability
This fix includes two changes that address the CVE-2014-3566 vulnerability (the SSLv3 vulnerability known as "POODLE"):

  • An update of the vShield Edge system SSL library to OpenSSL 0.9.8zc; and
  • An updated API method that allows administrators to address the POODLE vulnerability on vShield Edge.

Using this API method, you can disable SSLv3 support on specific vShield Edges in your environment. To do this, use the sslVersionList parameter in the following API call to whitelist the desired SSL version(s) on an NSX Edge.

API Method:

POST https://<vsm-ip>/api/3.0/edges/<edge-id>/sslvpn/config/server/

Example request body:

In this example, we enable SSLv3, TLSv1, TLSv1_2, and TLSv1_1:

   <ip>SSLVPN-Server IP</ip>

If the sslVersionList parameter is blank, all SSL versions listed in the above example are whitelisted.

Issue 1405907: Newly deployed VMs are blocked by the vShield App from connecting to internet or each other
Newly deployed VMs lose connectivity even though App Firewall default any/any/any allow rule should permit traffic to pass.

Issue 1406457: vCloud vShield Edge Devices lose network backing and become unmanageable
vShield Manager does a periodic health check by sending parallel VIX requests. If the health check fails to receive sufficient responses within its timeout window (default is 2 minutes), the VIX agent is restarted. On VIX restart, the VIX agent reconnects to each Edge VM and retries the health check. In this error condition, the health check module was observed to repeatedly declare a timeout because it did not receive the new health check responses in a timely manner.

Issue 1406456: Calendar cannot be selected on DLP field
Calendar cannot be selected on "Before" field after selecting date from "After" field.

Issue 1406453 / 1070011: Adding vNICs failed in NSX Manager when vCenter Server was upgraded from 5.1 to 5.5
Adding vNICs failed because NSX Manager was incorrectly using vmodl API version 8 to talk to vCenter Server instead of version 9. This was happening because there was no provision in NSX Manager to handle version change dynamically when vCenter Server was upgraded from 5.1 to 5.5. See the VMware Knowledge Base article, 2085044.

Issue 1405910 / 1334068: Some vApp Networks with white space characters fail to create correctly
With trailing white spaces in the virtual wire name, the generated portgroup name may also have trailing spaces, and these are in turn removed by vCenter Server. Depending on the vCloud Networking and Security release, vShield Manager may end up with a virtual wire without the system_resource flag set or may have errors in the creation of virtual wire itself.

Issue 1405909: SSL VPN “Portal Customization” logo and color changes do not reflect on portal
In SSL VPN Portal Customization, the change in the logo background is not reflected on the portal. In the logo background html table, instead of color, the background image is used. The default background color needs to be set as the same color as the image.

Issue 1285954: vShield Edge drops RST packet
Added an extra condition to vShield Edge that allows RST when client and server go out of sync. RST from client will now be allowed if its sequence number matches with previous ACK from server, even through that ACK belongs to an older connection.

Issue 1308591: Cannot modify an SSL VPN-Plus installation package
Editing an SSL VPN-Plus installation package does not apply changes to the package.

Issue 1268933: Host Name for DHCP binding cannot include CJK or high-ASCII strings
If the Host Name field in the DHCP Bindings window includes CJK or high-ASCII strings, publishing the binding results in an error.

Revision History

Revisions to this document:

  • Originally published 12 March, 2015.
  • Revision 1:  6 April, 2015. Added notes on POODLE vulnerability fix.