Known issues: Azure VMware Solution
This article describes the currently known issues with Azure VMware Solution.
Refer to the table to find details about resolution dates or possible workarounds. For more information about the different feature enhancements and bug fixes in Azure VMware Solution, see What's New.
Issue | Date discovered | Workaround | Date resolved |
---|---|---|---|
VMSA-2024-0021 VMware HCX addresses an authenticated SQL injection vulnerability (CVE-2024-38814) | 2024 | None | October 2024- Resolved in HCX 4.10.1, HCX 4.9.2 and HCX 4.8.3 |
VMSA-2021-002 ESXiArgs OpenSLP vulnerability publicized in February 2023 | 2021 | Disable OpenSLP service | February 2021 - Resolved in ESXi 7.0 U3c |
After my private cloud NSX-T Data Center upgrade to version 3.2.2, the NSX-T Manager DNS - Forwarder Upstream Server Timeout alarm is raised | February 2023 | Enable private cloud internet Access, alarm is raised because NSX-T Manager can't access the configured CloudFlare DNS server. Otherwise, change the default DNS zone to point to a valid and reachable DNS server. | February 2023 |
When first logging in to the vSphere Client, the Cluster-n: vSAN health alarms are suppressed alert is active in the vSphere Client | 2021 | The alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2021 |
When adding a cluster to my private cloud, the Cluster-n: vSAN physical disk alarm 'Operation' and Cluster-n: vSAN cluster alarm 'vSAN Cluster Configuration Consistency' alerts are active in the vSphere Client | 2021 | This alert should be considered an informational message, since Microsoft manages the service. Select the Reset to Green link to clear it. | 2021 |
After my private cloud NSX-T Data Center upgrade to version 3.2.2, the NSX-T Manager Capacity - Maximum Capacity Threshold alarm is raised | 2023 | Alarm raised because there are more than four clusters in the private cloud with the medium form factor for the NSX-T Data Center Unified Appliance. The form factor needs to be scaled up to large. This issue should get detected through Microsoft, however you can also open a support request. | 2023 |
When I build a VMware HCX Service Mesh with the Enterprise license, the Replication Assisted vMotion Migration option isn't available. | 2023 | The default VMware HCX Compute Profile doesn't have the Replication Assisted vMotion Migration option enabled. From the Azure VMware Solution vSphere Client, select the VMware HCX option and edit the default Compute Profile to enable Replication Assisted vMotion Migration. | 2023 |
VMSA-2023-023 VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048) publicized in October 2023 | October 2023 | A risk assessment of CVE-2023-03048 was conducted and it was determined that sufficient controls are in place within Azure VMware Solution to reduce the risk of CVE-2023-03048 from a CVSS Base Score of 9.8 to an adjusted Environmental Score of 6.8 or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. Azure VMware Solution is currently rolling out 7.0U3o to address this issue. | March 2024 - Resolved in ESXi 7.0U3o |
The AV64 SKU currently supports RAID-1 FTT1, RAID-5 FTT1, and RAID-1 FTT2 vSAN storage policies. For more information, see AV64 supported RAID configuration | Nov 2023 | The AV64 SKU now supports 7 Fault Domains and all vSAN storage policies. For more information, see AV64 supported Azure regions | June 2024 |
VMware HCX version 4.8.0 Network Extension (NE) Appliance VMs running in High Availability (HA) mode may experience intermittent Standby to Active failover. For more information, see HCX - NE appliances in HA mode experience intermittent failover (96352) | Jan 2024 | Avoid upgrading to VMware HCX 4.8.0 if you're using NE appliances in a HA configuration. | Feb 2024 - Resolved in VMware HCX 4.8.2 |
VMSA-2024-0006 ESXi Use-after-free and Out-of-bounds write vulnerability | March 2024 | For ESXi 7.0, Microsoft worked with Broadcom on an AVS specific hotfix as part of the ESXi 7.0U3o rollout. For the 8.0 rollout, Azure VMware Solution is deploying vCenter Server 8.0 U2b & ESXi 8.0 U2b which is not vulnerable. | August 2024 - Resolved in ESXi 7.0U3o and vCenter Server 8.0 U2b & ESXi 8.0 U2b |
When I run the VMware HCX Service Mesh Diagnostic wizard, all diagnostic tests will be passed (green check mark), yet failed probes will be reported. See HCX - Service Mesh diagnostics test returns 2 failed probes | 2024 | None, this will be fixed in 4.9+. | N/A |
VMSA-2024-0011 Out-of-bounds read/write vulnerability (CVE-2024-22273) | June 2024 | Microsoft has confirmed the applicability of the CVE-2024-22273 vulnerability and it will be addressed in the upcoming 8.0u2b Update. | July 2024 |
VMSA-2024-0012 Multiple Vulnerabilities in the DCERPC Protocol and Local Privilege Escalations | June 2024 | Microsoft, working with Broadcom, adjudicated the risk of these vulnerabilities at an adjusted Environmental Score of 6.8 or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. A plan is being put in place to address these vulnerabilities at a future date TBD. | N/A |
Zerto DR isn't currently supported with the AV64 SKU. The AV64 SKU uses ESXi host secure boot and Zerto DR hasn't implemented a signed VIB for the ESXi install. | 2024 | Continue using the AV36, AV36P, and AV52 SKUs for Zerto DR. | N/A |
VMSA-2024-0013 (CVE-2024-37085) VMware ESXi Active Directory Integration Authentication Bypass | July 2024 | Azure VMware Solution does not provide Active Directory integration and isn't vulnerable to this attack. | N/A |
AV36P SKU new private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | The AV36P SKU is waiting for a Hotfix to be deployed, which will resolve this issue. | N/A |
VMSA-2024-0019 Vulnerability in the DCERPC Protocol and Local Privilege Escalations | September 2024 | Microsoft, working with Broadcom, adjudicated the risk of CVE-2024-38812 at an adjusted Environmental Score of 6.8 and CVE-2024-38813 with an adjusted Environmental Score of 6.8. Adjustments from the base scores were possible due to the network isolation of the Azure VMware Solution vCenter Server DCERPC protocol access (ports 2012, 2014, and 2020 aren't exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the Azure VMware Solution vCenter Server. A plan is being put in place to address these vulnerabilities at a future date TBD. | N/A |
VMSA-2024-0020 VMware NSX command injection, local privilege escalation & content spoofing vulnerability | October 2024 | The vulnerability mentioned in the Broadcom document is not applicable to Azure VMware Solution, as attack vector mentioned does not apply. | N/A |
In this article, you learned about the current known issues with the Azure VMware Solution.
For more information, see About Azure VMware Solution.