Organisations using VMware now have no choice but to buy an annual subscription for a bundled product if they plan to continue using the hypervisor.
As Computer Weekly has previously reported, Broadcom has simplified the VMware product family, which is now only available as a subscription, licensed on a per-core basis. Some organisations, like Telefónica Germany, have managed to remain on perpetual licences by purchasing second-hand VMware licences and using a third-party support provider.
But a recent security alert has brought into focus the difficulty of keeping licensed copies of VMware running without upgrading to a VMware subscription.
Last month, Broadcom published a critical security advisory that covered three new zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation and Fusion. The most severe of these was a critical vulnerability in ESXi and Workstation.
According to Rapid7, these are not remotely exploitable vulnerabilities – they require an attacker to have existing privileged access on a virtual machine (VM) that is running on an affected VMware hypervisor.
In a blog, Rapid7 noted that it may be possible to chain together the three vulnerabilities: “This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”
Broadcom said administrators should assume that all versions of ESXi, vSphere and VCF are affected, apart from versions listed as “fixed”. “If there is any uncertainty about whether a system is affected, it should be presumed vulnerable, and immediate action should be taken,” the Broadcom advisory warned, adding that exploitation of the vulnerabilities has occurred “in the wild”.
Patch availability
In terms of VMware users running older versions of ESXi, Broadcom has issued a patch for ESX 6.7, which is available via the Support Portal to all customers. ESX 6.5 customers, meanwhile, need to use the extended support process for access to patches, said Broadcom.
It said products that are past their end of general support dates are not evaluated, and urged organisations using vSphere 6.5 and 6.7 to update to vSphere 8.
To apply the patches issued by Broadcom, IT decision-makers will need to upgrade to a Broadcom subscription for VMware – unless they are prepared to source second-user licences covering a supported version of vSphere. This provides patches and updates for the latest supported VMware releases.
If managed carefully, moving to a VMware subscription could be the right approach, especially in organisations that can use the full VMware Cloud Foundation (VCF) suite and need a platform that can manage both virtualisation and containerisation.
Benefits of a VMware subscription
As Holland Barry, field chief technology officer for cloud and infrastructure at DXC Technology, pointed out in a recent Computer Weekly article, organisations adapting to VMware’s evolving licensing models are finding opportunities to optimise costs and enhance efficiencies.
“Many have successfully streamlined their IT estates by replacing redundant functionalities – such as logging, observability, automation, software-defined networking, microsegmentation and hyperconverged infrastructure – with integrated solutions now available within their VMware Cloud Foundation model,” he said.
For Bola Rotibi, principal analyst at CCS Insight, VCF’s architectural principle is based on building for interoperability. For hybrid and multicloud deployment scenarios, VCF provides what Rotibi regards as a consistent, enterprise-grade cloud experience.
However, one of VCF’s biggest advantages, according to Rotibi, is its ability to support VMs and Kubernetes-based workloads on a single platform.
“Many enterprises are still running legacy applications that rely on virtual machines,” she said. However, they also want to modernise with cloud-native, containerised applications. “Instead of forcing businesses to choose between two separate architectures, VCF seamlessly integrates both.”
Barry recommends IT leaders align their hardware footprints to VMware’s new 16-core-per-CPU socket minimum, which, in his experience, is crucial for maximising performance and value. “By carefully recalibrating memory-to-CPU ratios, businesses have ensured that workloads run optimally without unnecessary overhead,” he added.
A calculated risk
Many IT leaders will not want to take a risk by running IT systems unpatched, but VMware is a mature product, which implies that best practices for maintaining a secure VMware environment are well understood.
According to third-party support provider Spinnaker Support, VMware customers are having to figure out for themselves whether older, unsupported products are impacted by newly discovered vulnerabilities. Looking at a recent vulnerability affecting version 6.7 of VMware, Spinnaker Support said the feature that needed patches was not something built into version 5.5, making the risk irrelevant in organisations using the older version of the VMware product.
While Broadcom’s bundling of VMware products simplifies the product family, in Spinnaker’s experience, this means VMware patches are being released for products that many organisations do not use.
Craig Savage, vice-president of cyber security at Spinnaker Support, said: “Broadcom’s bundling strategy is making it harder for customers to separate genuine security risks from noise. When everything is wrapped into large, expensive packages, understanding what truly needs protection – and what doesn’t – becomes far more difficult.”
