Friday, January 14, 2022

Accounting II

Patches of snow lay on the grass, islands of snowflakes succumbing to the January midday sun. They'll evaporate soon, but it's ok. There's more snow in the forecast, and temperatures will be measured by single digits.

Pandemics bring out the best and worst of us. Or maybe, pandemics strip us of conspicuous behaviors and leave only the true self exposed to be seen and judged. Or maybe pandemics don't do a thing, and it's just the latest excuse for humans being human. We didn't go crazy in February 2020, we just quit pretending like we weren't all along.

If you were wondering, yes, I tried keeping bees again. It was my third and final try. The colony was aggressive, and for once I felt afraid when handling the frames. I'm too tired to be voluntarily afraid these days. I left the bees to fend for themselves deep in the woods. They made it this far without humans, I trust they'll be fine. Then again, single digit colds can squeeze even hardy bees, and these specimens were raised in the Florida panhandle. I do hope they're okay.

Still an optimist, though the distinction between optimist and lunatic is less clear these days. A small box falls off a freight train; the train carries on. It'll be okay. Slow music and golden light will see us through. It's always the humanities that save us from ourselves. A little less TikTok, and little more Thomas Cole, please. Remember museums? Yeah, me too.

I've bought tickets to more concerts in the last two years than in the decade before. I've attended none of them. But my wife and I had the joy of introducing our daughter to The Nutcracker at the Warner Theatre, before omicron dashed the already muted hopes we had of having covid-19 behind us. Such bright moments illuminate the darkness of these days. But I'm not greedy; I'll take one a year, thanks.

Maybe I'll lace up the trail running shoes and learn again that I'm older than I've ever been before, because I'll never be this young again. Or overpack for a walk in the woods. Find a spot of quiet away from the overpass. Or maybe give up and continue to check for updates for everything.

We'll make the most of this year, dear friends. Or maybe, it will make the most of us.

Saturday, May 29, 2021

The Inherent Vulnerability of HCI

But patching makes it better.
vSphere admins of the world sure had fun last week! VMW dropped VMSA-2021-0010 on us Tuesday, and you can imagine faces falling as virtualization administrators read the details: unauthenticated RCE on 443, CVSSv3 Range:6.5-9.8, versions 6.5, 6.7, and 7.0 all affected. Any optimism we had going into a long weekend was summarily tempered with the cold reality of unscheduled and / or emergency changes. 

To VMware's credit, the company published a blog post with a stunning amount of information regarding the severity of the issue and clearly expressed the urgency of the situation, to wit: When do I need to do something about this? Right now. The post is as good as the flaw is bad.

For administrators of vCenter Servers that supervise converged or traditional infrastructures, patching was a relatively easy task. Of course you read the release notes first (cue laugh track). In most cases, suffering the indignities of officious change management processes eclipsed the update task itself. If you've been keeping up with VCSA updates, you know that you always grab a snapshot and run an ad hoc backup through the VAMI before you do anything. Once you've taken steps to protect the data, you run the update and within minutes you're back in business. Delete the snapshot and move on.

But for admins of hyperconverged solutions (e.g., Dell's VxRail system), the process is not so simple. HCI vendors maintain a tight grip on the versions of each component in the bundled system, and mince no words in warning users to not upgrade software outside of the bundled updater. There's an expectation that when VMware publishes a software upgrade for a critical security issue, the HCI vendor will quickly incorporate that update into their bundle and make it available for download. In this particular case, VMware published a workaround along with the security advisory that allowed users of HCI to defend against exploits.

However, the gap between VMware and HCI-vendor patch releases is unacceptable when the issue is remote code execution. The finnicky requirements of the infrastructure solution force its users to remain vulnerable beyond the immediacy of moment.

Last Words

HCI is still a worthwhile solution for most vSphere environments. The onus is on the customers and users to decide how they'll account for and supplement for the unacceptable delay in incorporating critical security updates into their solutions.