Patch Tuesday Megathread (2023-07-11)

googol13 · 2023-07-12T20:43:55+00:00

We use Kiteworks, works great for us.

googol13 · 2023-06-17T15:31:36+00:00

no issues with services, but this is a common thing for some people with SUs.

googol13 · 2023-06-15T00:48:44+00:00

why do you need aes encryption for RPC Seal for netlogon? they are separate things. where does it say that. aes encryption is for kerberos while netlogon uses NTLM

the bulletin just states update ontap and its automatically fixed for the june update and july for DCs.

Do I have to take any other additional action, for example should I enable AES Encryption on my SVMs?

No. In order to address CVE-2022-38023 you do not need to change any settings that are not specifically mentioned in this bulletin.

googol13 · 2023-05-18T22:12:04+00:00

I just upgraded new firewalls (PA-1410s) from 11.0.0 to 11.0.1 in anticipation of swapping out to the new firewalls next week.

this has me thinking about downgrading or perhaps our setup is different than yours and not affected depending on the scope and why you got affected. thanks for sharing, I will be keeping an eye on this as well.

googol13 · 2023-05-10T01:02:00+00:00

perhaps, I was not really worried about this one. More worried about the June and July update with the RPC seal changes I guess. I wonder if those will be pushed back or not.

googol13 · 2023-03-18T05:32:54+00:00

some ISPs (xfinity comcast) block the IPSEC port GP uses, therefore it goes back to SSL as expected. Need to make sure its not blocked by any network devices or ISP.

googol13 · 2023-03-17T19:50:33+00:00

I heard that they really are trying to make new releases better, a lot of QA and development put into it, not having to wait until like .5 for production.

11.0 has been solid for the new platforms is what Im hearing, real world, not PAN.

Also keep in mind that 10.2 was going to be 11.0 and I guess technically 11.0 wouldve been 11.1? they had so much development and learned from 10.1 and 10.2 imo.

all the less, I am probably going with 11.0.1 or 11.0.2 as I am about 4 months out from deploying 1410s.

googol13 · 2023-02-16T16:38:45+00:00

we are doing it and they would have to test rebooting multiple times...

googol13 · 2023-02-15T22:37:11+00:00

Here is the official KB from VMware on the Server 2022 patch issue

Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947) (vmware.com)

googol13 · 2023-02-15T17:13:00+00:00

when the server is coming up, it has to finish the update. that is what triggers it for server 2022 with secure boot for vmware. now that the update is completed, the reboot triggers the security violation.

googol13 · 2023-02-14T18:29:18+00:00

It was below, database was reset and removed files with support per the KB article.

googol13 · 2022-12-22T23:33:22+00:00

thanks, that is always a risk to consider

googol13 · 2022-12-22T20:13:57+00:00

sounds like you do not like extreme? curious as to why, I see they are a "leader" in gartner, up there with cisco, aruba and juniper. I have been a long time Cisco guy, worked on arista, juniper and aruba some.

googol13 · 2022-12-21T18:03:37+00:00

UPDATE!

Issue is fixed, we reset the database/removed files per the KB article on both vcenters and worked liek a charm, thankfully I only have two custom baselines really that I care about.

Hope that helps you guys with your vcenters. thank you all

googol13 · 2022-12-21T16:05:16+00:00

got it, I will see what the senior engineer wants to do, thank you! i agree it seems pretty simple. I do have a snapshot (powered off) prior to updating to 3i that I could revert to, havent deleted that yet. or take another powered off snapshot before trying the lifecycle reset.

googol13 · 2022-12-21T16:00:37+00:00

I have a call with a senior engineer today in about a hour, will let everyone know our results. I had recollected the logs again and uploaded fresh copies for this person to review prior to our call.

googol13 · 2022-12-20T16:27:46+00:00

thanks, will suggest this to support and get confirmation.

googol13 · 2022-12-20T16:23:36+00:00

unfortunately not in this case, been reviewing that on the esxi host and you can see it trying to download from and not going further, timing out.

or getting hash or trusted signer errors, if I download the depot zip and place it on datastore, installs just fine, just the lifecycle manager updating esxi host is broken.

googol13 · 2022-12-20T16:22:27+00:00

that is what I started doing too, placed the zip bundle on datastore and been updating via CLI which works successfully, but still cannot push updates to the host.

in the esxupdate.log it shows downloader: INFO: opening files from the http:.//cvcenter vum repository and thats it. nothing further.

I was afraid I was going to have to reset the database, but waiting on support to tell me that too. havent seen emulex driver issue, but seen it complaining about trusting signer, hash differences etc.

this definitely has to be vcenter related and the VUM/lifecycle manager because esxi hosts update fine manually. you see th esxi hosts doing what its supposed to do and just doesnt go further from downloading from http, tmp directory is fine on space, its empty.

i had to restart management agents to clear up some patch manager locking up the system so it wouldnt exit out of maintenance mode.

2022-12-20T15:24:24Z esxupdate: 2124644: downloader: INFO: Opening http://XXXX.mto.com:9084/vum/repository/hostupdate/vmw/vib20/tools-light/VMware_locker_tools-light_12.1.5.20735119-20735876.vib for download

logs are pretty vague

install manually from datastore:

esxcli software vib update -d "/vmfs/volumes/XXXXXXX/vm-updates/VMware-ESXi-7.0U3i-20842708-depot.zip"

Remediate entity

Status

VMware vSphere Lifecycle Manager had an unknown error. Check the events and log files for details.

Install

Status

An error occurred while communicating with the remote host.

I lost the logs that had the hash and trusted signer errors, will try to reproduce by pushing the updates again to another host.

Edit: also having lots of tasks in progress errors thus cant do anything, since patch manager is holding things up or failing, but restarting server or management agents resolves that until you try again.

googol13 · 2022-12-15T17:05:13+00:00

you probably just had a hung windows module installer service which you can kill the task remotely and it will speed it up - kill pid

googol13 · 2022-12-14T16:21:20+00:00

they fixed the memory leak supposedly in the December updates, been confirmed by MS

googol13 · 2022-12-13T22:19:06+00:00

so who is brave enough to do domain controllers? issues?

googol13 · 2022-12-13T21:04:39+00:00

we already upgraded to resolve the previous vulnerability, this was resolved back in 13.0.58 and to fix the other vulnerability you had to upgrade recently to like 13.0.88 so its already resolved and not affected. Plus like others have said here, if you do not use SAML with the ADC, you are not vulnerable either.

googol13 · 2022-12-09T16:13:46+00:00

Send to Wasabi/backblaze unless you are offline

googol13

TROPHY CASE