VMware confirms the existence of security bug on all versions of ESXi
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 4, 2014
VMware has quietly confessed to the existence of a critical security hole affecting all versions of its ESXi hypervisor.
The company wrote about the issue in its knowledge base as users suddenly discovered that something was missing in their daily data backups.
The security bug affects virtual machines with Changed Block Tracking (CBT) turned on and that have been increased in size by more than 128 GB.
The issue only presents itself when it comes to execution of the command QuaryChangedDisckAreas. It's only then that certain portions of the virtual machine disk vmdk files are returned and you get an inaccurate list of allocated virtual machine disk sectors.
All this means you’ll have been happily pouring gigabytes of data into your newly expanded virtual machine while completely unaware you likely won’t see it again.
The issue affects VMware ESXi 4.x and ESXi 5. VMware did admit that it is baffled about the problem.
In its VMware knowledge base, the company said that for now, it still has no solution to the issue.
However, 128 GB won't affect everybody running ESXi, but it will hit those running very large clouds and virtual instances, that's a given.
For really large VMware enterprise customers running thousands of virtual machines that keep historical backups, this hidden bug poses huge headaches for system admins everywhere.
As could be expected, several alarm bells and loud whistles are ringing on third-party forums and on Reddit.
Virtualization management specialist Veeam Software told its customers that it is working on a hot fix versions 7.0 and 8.0 of its backup and replication software.
In the meantime, Veeam recommended a manual CBT reset for all expanded VMs while VMware recommended turning it off and on again "disabling and then re-enabling Changed Block Tracking (CBT) on the virtual machine".
We contacted VMware to find out whether it is working on a permanent fix and when it would be delivered. Also, we asked when the company became aware of the issue, but a company spokesperson said it didn’t have a comment for now.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!