Slashdot Mirror

← Back to Stories (view on slashdot.org)

VMware Bug Allowed Root Access (arstechnica.com)

Posted by EditorDavid on from the changing-access-permissions dept.

c4231 quotes Ars Technica: While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools -- EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection -- could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

13 of 33 comments (clear)

  1. I used to work at vmware. Criminal engineering. by Anonymous Coward · · Score: 5, Interesting

    I used to work at vmware. They have criminals in china doing most of the code. The code is "lost" now. The smart people who made it are all gone and they have very young engineers from china doing all the code. Its riddled with bugs and likely back doors. They also destroyed the Nicira team. Smart, talented SDN guys who are all gone. Now Nicira is more or less dead and the crap china code, NSX-V and the new crap china code, NSX-T is there. Its crap. And they cant make a single installer for all their crap. each of their products is totally disjointed. You cant find a SINGLE PERSON at vmware capable of installing all of their products. Try finding someone who can install FOUR. Lets alone all of them. Its a alot of chinese and desi engineers who are way too young to understand what they are building. the product managers are young bucks who sling marketing slides but never automation and code. Its a shame. I really think all the engineering talent is locked up with that psycho asshole bezos / scamazon, microsoft, google and alibaba and tencent. the rest of the IT shops are full of young obedient small minded desi and chinese slaves who "do whatever". the really smart engineers at google, fakebook, scamazon, microsoft and google might be smarter but they willfully implement horrible evil plans for the love of money. the NSX+ESXi+vpshere on scamazon truly sucks, its double locking, lockin to scamazon and then locking to the horrible NSX apis for doing networking crap. if you can call them APIs. In reality NSX forces most configuration to do CLICK OPS, not really automated. Disgusting. vmware is a burnt out husk of what it used to be. tsarkon reports

    1. Re:I used to work at vmware. Criminal engineering. by swb · · Score: 1

      I can't comment on the internals of VMware, but as a longtime user and vendor I feel like VMware went off the rails a few years ago. I think once they had a lot of SMB penetration the MBA geniuses knew growth was going to stall and they moved into the "tools and extensions" mode where they pushed all the add-ons...which maybe only bigger customers buy.

      The few we installed always sucked, a weird mix of appliance VMs, Windows services, etc, and much of it was a mish-mash of configuration in vCenter web and Windows.

      And while we're talking about vCenter -- jeezus, can we make the fucking web interface work worth a damn? It's been a trainwreck forever and still is IMHO, and got help you if it gets fucked up AND you need to do some kind of vCenter-only action...to recover vCenter! Which you will have to do since they make stupid mistakes like chronically undersizing vCenter disk partitions which then fill up and crash the Jenga structure of 1001 processes that make up vCenter.

      It's high time base vCenter functionality like VM migration (including storage migration) was built into the base host install.

      IMHO, for basic virtualization it's still a shitload better than Hyper-V. I keep waiting for 3rd party KVM-based products (like Nutanix) to catch up to Vmware. When they do, VMware's strategy of relying on bolt-ons and big license fees will drain them.

    2. Re:I used to work at vmware. Criminal engineering. by jaymemaurice · · Score: 1

      I think much of this was fueled by the $1 Billion VMware Nicira buy. It alienated their partnership with Cisco and VCE and was poor strategy. It's like nobody realized that their user base couldn't figure understand what an MTU mismatch was, let alone handle a network issues caused by layers of poorly written software on broken hardware.

      That stated you don't need to use vCenter to change DVS ports to get vCenter up - you /can/ do it in the CLI and you should be using ephemeral port allocation for the vCenter port-group. Often the difference between getting a senior tech with free time or one from the low cost geographies was evident by whether or not they made you re-install the product.

      --
      120 characters ought to be enough for anyone
    3. Re:I used to work at vmware. Criminal engineering. by swb · · Score: 1

      No, I was referring to specific situations where you find yourself needing to make a change in vCenter to support a vCenter recovery step.

      IMHO, vCenter is a real house of cards for VMware environments. There are kind of workarounds, like running multiple clusters with vCenter running in the "other" cluster, frequent cloning/replication, etc, but none of them really solve the core problem that vCenter is 8 gallons of shit in a 4 gallon pail.

      I like the fact that host installs are pretty lightweight (ie for install to flash, etc), but at the same time I think some of the self-imposed limitations on built in native host functionality this requires can be kind of frustrating.

      Too much functionality relies on vCenter and it has proved too fragile on too many occasions. I'd kind of hope for something more clever at this point that involved some of it moved back into the host and vCenter streamlined a bit to only be larger scale functionality and larger database elements.

  2. Re: I used to work at vmware. Criminal engineering by Anonymous Coward · · Score: 1

    take your meds

  3. now ESXI get's ceph I may just use them ne cluster by Joe_Dragon · · Score: 1

    now if ESXI get's ceph I may just use them for the next new cluster

  4. Re: I used to work at vmware. Criminal engineering by Anonymous Coward · · Score: 2, Interesting

    OP in this thread is a rambling mix of personal anecdotes and copypasta that's less coherent than the current US president.

    Also, the post is full of grammatical errors, conspiracy theories, and "I'm off my meds" markers like missing capitalization and calling Amazon "scamazon," etc, and then it ends with the promise of more copypasta but abruptly ends with "tsarkon reports."

  5. Re:Use something else. by phayes · · Score: 1

    Precisely. Anyone not using these products (& none of the ESXi installs I've seen do), no vulnerability. However Meltdown & Spectre are a problem for everyone.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  6. Re: I used to work at vmware. Criminal engineerin by Anonymous Coward · · Score: 3, Informative

    The thing is I too worked for vmware and having seen the code I know heâ(TM)s right.

    They have comment boxes top and bottom of large sections of code typically accompanied by a statement of âoedonâ(TM)t touch this, no one knows what it doesâ.

    The hostd is a perfect example.

    But he is wrong about Chinese developers. Itâ(TM)s hiring directly from MIT to reverse engineer the code.

    This was all about 4 years ago so Iâ(TM)m not sure where things are at now. I do know that the vSphere Appliance in 6.5 is a pos for installing and configuring. It works about every 5th time and goodness me I hope your environment isnâ(TM)t too special or itâ(TM)s just not happening.

  7. Re: I used to work at vmware. Criminal engineering by Cramer · · Score: 1

    All too true. Too much of the "product" is a bunch of horrible, bloated JAVA. And way too many "solutions" are collections of acquisitions bolted together poorly.

  8. Re: I used to work at vmware. Criminal engineering by ckatko · · Score: 1

    More like, shut off your bot.

    I bet you money I could make a bot that writes text like that, in a weekend.

  9. Re: I used to work at vmware. Criminal engineering by swb · · Score: 1

    Way too many acquisitions are just sniping of almost-mature products just to prevent someone else from buy them or the IP, not because the buyer really cares about making them work.

  10. Re: I used to work at vmware. Criminal engineering by swb · · Score: 1

    MS would like to be #1, but they are trying to do it through licensing breaks for VMs not software quality and reliability. Hyper-V still sucks and their management tools are worse than VMware.