VMware

vCloud Networking and Security 5.5.4.1 Release Notes

vCloud Networking and Security 5.5.4.1 | 30 APR 2015 | Build 2673026

What's in the Release Notes

The release notes cover the following topics:

What's New

This release completes a series of fixes to address the Skip-TLS (CVE-2014-6593), FREAK (CVE-2015-0204), and POODLE (CVE-2014-3566) vulnerabilities, as well as fixes for other issues. See the Resolved Issues section of this document. Please check that any third party components (such as third party partners solutions) support the updated JRE and OpenSSL versions used in vCNS. For details see:

System Requirements and Installation

For information about system requirements and installation or upgrade instructions, see the vShield Installation and Upgrade Guide.

Upgrade Instructions

Follow the steps below to upgrade:

  1. Upgrade to vCloud Networking and Security version 5.5.4.1. See the vShield Installation and Upgrade Guide.
  2. If you wish to switch to the vmxnet3 driver from e1000 in order to apply the fix for Known Issue 1429432, follow the instructions in VMware Knowledge Base article 2114813.

Known Issues

The known issues are grouped as follows:

Upgrade Issues

Issue 1375343: SSO cannot be reconfigured after upgrade
When the SSO server configured on vShield Manager is the one native on vCenter server, you cannot reconfigure SSO settings on vShield Manager after vCenter Server is upgraded to version 6.0 and vShield Manager is upgraded to version 5.5.4.
Workaround: None.

Issue 1369782: L2VPN tunnel breaks after upgrading L2VPN server to 5.5.4
If you upgrade vShield Manager and L2VPN server to 5.5.4 without upgrading L2VPN client, the L2VPN tunnel breaks. L2VPN clients below version 5.5.4 used to connect over SSLv2 or SSLv3, but these protocols are not supported in 5.5.4.
Workaround: Upgrade the L2VPN client to 5.5.4. The client can then connect to the server using the TLS protocol.

Issue 1396592: Versioned deployment spec needs to be updated to 6.0.x if using vCenter Server 6.0 and ESX 6.0.
Partners that have NetX solutions registered with vCloud networking and Security must update registration to include a VersionedDeploymentSpec for 6.0.x with the corresponding OVF.
Workaround: If the base configuration is 5.5.x with vSphere 5.5 and if the infrastructure is upgraded before upgrading vCloud networking and Security, follow the steps below:

  1. Upgrade vSphere from 5.5 to 6.0.
  2. Add versioned deployment specification for 6.0.x using the following API call:
    POST https://<vCNS-IP>/api/2.0/si/service/<service-id>/servicedeploymentspec/versioneddeploymentspec
    <versionedDeploymentSpec>
    <hostVersion>6.0.x</hostVersion>
    <ovfUrl>http://engweb.eng.vmware.com/~netfvt/ovf/Rhel6-32bit-6.1svm/Rhel6-32bit-6.1svm.ovf</ovfUrl>
    <vmciEnabled>true</vmciEnabled>
    </versionedDeploymentSpec>
  3. Update service by using the following REST call
    POST https://<vsm-ip>/api/2.0/si/service/config?action=update
  4. Resolve the EAM alarm by following the steps below:
    1. Click Home on vSphere Web Client.
    2. Click Administration.
    3. In Solution, select vCenter Server Extension.
    4. Click vSphere ESX Agent Manager and then click the Manage tab.
    5. On failed agency status, right click and select "Resolve All Issues".

Issue 1291731: vShield Endpoint upgrade or uninstall fails with error vShield Endpoint installation encountered error while uninstalling vib:Internal server error
vShield Endpoint upgrade/uninstall fails with error. Uninstallation of vib from ESXi command line also fails with the following error:
 
[InstallationError]
Error in running rm /tardisks/epsec-mu.v00:
Return code: 1
Output: rm: cannot remove '/tardisks/epsec-mu.v00': Device or resource busy
It is not safe to continue. Please reboot the host immediately to discard the unfinished update. Please refer to the log file for more details.

 
Workaround: Follow the steps below:

  1. Log into ESXi cli.
  2. In the /bootbank/boot.cfg file, move the entry epsec-mu.v00 after the entry sb.v00.
    The module entries in the boot.cfg have --- delimiters. So after the change, the entries should look like sb.v00 --- epsec-mu.v00.
  3. Save the /bootbank/boot.cfg file.
  4. Put the host into maintenance mode and then reboot it from the vCenter Server web client.
  5. Install/upgrade vShield Endpoint.

General Issues

Issue 1411125: Unable to power on guest virtual machine
When you power on a guest virtual machine, the error "All required agent virtual machines are not currently deployed" may be displayed.
Workaround: Follow the steps below:

  1. Click Home on vSphere Web Client.
  2. Click Administration.
  3. In Solution, select vCenter Server Extension.
  4. Click vSphere ESX Agent Manager and then click the Manage tab.
  5. Click Resolve.

Issue 1341573: User IDs longer than 7 East Asian characters or longer than 10 European characters cannot login to SSL VPN portal
If a user ID's length is greater than 63 characters (for ASCII or non-ASCII characters) when creating the SSL VPN Plus user, an error "user ID length exceeded the maximum character limit" will be displayed. User IDs of less than 63 characters will be accepted and user will be created.
Workaround: VMware recommends creating SSL VPN Plus user IDs with ASCII characters only. If your user IDs must include non-ASCII characters, please make sure each user name contains no more than 7 East Asian characters or no more than 10 Latin characters with diacritical marks.

Issue 1311302: If a vNIC is included in a security group that is connected to a network and the associated virtual machine is moved to another network, the security group cannot be edited through the UI and the vNIC continues to be a member of the security group
Workaround: Remove the vNIC from the security group using the following REST call
DELETE https://<vsm-ip>/api/2.0/services/securitygroup/<securityGroupId>/members/<vNicId>
You can then edit the security group on the UI.

Issue 1303665: Preparing cluster for VXLAN causes ESXi to report loss of network connectivity on vSwitch
Preparing a cluster for VXLAN causes a temporary loss of connectivity when the NIC driver is uninstalled and reinstalled to enable RSS on the VXLAN-enabled cluster. This issue occurs only when using Intel ixgbe drivers.
Workaround: None.

Issue 1056970: Cannot login to vShield Manager if user name includes CJK or High-ASCII characters
Workaround: Set the browser encoding to UTF-8.

vShield Manager Issues

Issue 1405582 / 1310034: SSL VPN Remote user won't be able to change his AD User credential
When SSL VPN is authenticated through Active Directory, you can use this domain credential to login to SSL VPN to access a corporate network (private network). When the user is located remotely, he won't be able to change the AD password.
Workaround: There is no specific work around in SSL VPN configuration. The administrator should provide some external utility to change the AD password.

Issue 1303278: The Grouping page loads slowly when there are more than 1100 MAC Sets and may show overlapping row entries
If there are too many MAC Sets (for example, 1100+) on vShield Manager, the Grouping page loads slowly and the MAC Set row entries overlap with other entries, making them unreadable. Adding a new MAC Set takes a longer time.
Workaround: Keep the number of MAC Set entries in a security group below 1100.

Issue 1301688: When configuring Lookup Service on NSX Manager, cannot use backslash between domain and user name
Workaround: Use @ instead of backslash between user name and domain. For example, type user@domain instead of domain\user.

Issue 1161237: "Invalid Data Format" error displayed when creating a service
While adding/creating a service, you may get an "Invalid Data Format" error if you enter more than 15 ports to the service.
Workaround: If the service has more than 15 ports, create multiple services.

Issue 1161214: User must logout to view modified or added role
When a user adds or modifies his/her role while logged into a session, the session does not reflect the role changes.
Workaround: Log out and then log back in to view updated role assignments.

vShield App Issues

Issue 1197810: Cannot add firewall rule from Flow Monitoring table after reverting to an older firewall configuration
After you load an older firewall configuration, you cannot add a rule from the Flow Monitoring table. This is because the rule for which the flow was detected may no longer be part of the current firewall configuration.
Workaround: None.

Issue 967277: If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See the VMware Knowledge Base article 'Update link not available during vShield App upgrade'.

Issue 1089671: Firewall rules with source/destination as virtual wire does not get applied if new VM is added to existing virtual wire
If pre-configured firewall rules contains virtual wire in source/destination, those rules do not get applied to new VM added to that virtual wire.
Workaround: After adding the new VM to the virtual wire, republish the firewall configuration on that virtual wire.

vShield Edge Issues

Issue 1405586 / 1311273: SSL VPN portal login screen is blank.
One of the javascript files used by SSL VPN portal gets corrupted on vShield Edge. This causes portal page rendering to fail.
Workaround: Re-deploy the vShield Edge when this issue is seen.

Issue 1165472: Cannot create CSR/Certificate if vShield Manager is upgraded to 5.1.3 and Edge is still on 5.0.2
When vShield Manager is upgraded to 5.1.3 and Edge is of a lower version, you cannot create a CSR of size 512/1024 bit.
Workaround: None.

Service Insertion Issues

Issue 1062057: Unable to bind service profile to network
Cannot bind a service profile to any available network.
Workaround: Reboot vShield Manager.

Data Security Issues

Issue 1291748: While specifying file filters for Data Security scan, cannot select Last Modified Date from calendar
While trying to select the Before date for running a Data Security scan, the calendar is grayed out.
Workaround: In your browser, change Language Preferences to en-US and then select the date in the Before field.

Resolved Issues

The following issues have been resolved in the 5.5.4.1 release:

Fixed Issue 1414763: vShield SSL VPN does not implement code signing on an OSX Yosemite client
With the release of Yosemite, OSX adds code validation for all kernal extensions (kexts) that are loaded on a system. The OSX client does not implement any code signing and the client fails to operate.

Fixed Issue 1429432: Multi-Machine Blueprint deployment fails when vShield Manager becomes non-responsive
Multi-Machine Blueprint deployment fails when vShield Manager is unable to recognize the VMXnet3 adapter. vShield Manager remains in a non-responsive state when this occurs. This fix replaces the e1000 network adapter of the vCNS Manager Appliance with a vmxnet3 adapter. In new installations of vCNS 5.5.4.1 and later, this fix is automatically applied. If you are upgrading to vCNS 5.5.4.1 or later, you must manually apply the fix as explained in VMware Knowledge Base article 2114813.

Fixed Issue 1424601: Fixes to address CVE-2014-6593 "Skip-TLS" and CVE-2015-0204 "FREAK" vulnerabilities
This fix addresses the issues generally known as "SMACK" (State Machine AttaCKs). FREAK affects OpenSSL based clients by allowing them to be fooled into using export grade cipher suites. SSL VPN clients have been updated with OpenSSL version 0.9.8zd to address this. OpenSSL on the NSX Edge has been updated to version 0.9.8zd as well. The Oracle (Sun) JRE package is updated to 1.7.0_75 (version 1.7.0 update 75), because Skip-TLS affected Java versions prior to update 75. Oracle has documented the CVE identifiers that are addressed in JRE 1.7.0_75 in the Oracle Java SE Critical Patch Update Advisory for January 2015. This fix disables SSLv3 on the vShield Manager.

The following issues were resolved in the 5.5.4 release:

Fixed Issue 1343847 / 1343842 / 1362763: Fixes to address CVE-2014-3566 "POODLE" vulnerability
The 5.5.4 release included two changes that address the CVE-2014-3566 vulnerability (the SSLv3 vulnerability known as "POODLE"):

  • An update of the vShield Edge system SSL library to OpenSSL 0.9.8zc; and
  • An updated API method that allows administrators to address the POODLE vulnerability on vShield Edge appliances by disabling SSLv3 encryption there. VMware recommends that you disable SSLv3 encryption on all vShield Edge appliances. For instructions, see VMware Knowledge Base article 2115288.