Tag: Changelog

Another security release.

• Includes logback 1.2.9 that fixes the low severity vulnerability CVE-2021-42550. Exploiting this vulnerability requires the attacker being able to write to the logging.xml config file of the flexVDI Manager appliance.
• We have removed the write permission of logging.xml file even for the file owner, in flexvdi Manager appliances being updated. In 3.1.12 the permission change affected only new installations.

flexVDI Manager is available for update running flexvdi-config command on the host where the current manager is running. Instructions are available here. Also it can be manually downloaded from portal.flexvdi.com, for servers not connected to the internet.

This is mainly an security hardening release. The latest release of the flexVDI Manager appliance includes many updated components, including:

• All available software packages of its base distro, including Linux kernel, openssl, java, and more.
• Many updated java libraries. Specifically it includes logback 1.2.8, released yesterday. It removes all JDBC code and disables all JNDI code from the base logging framework, before any important vulnerability is found in it.
• We have set java logging configuration read-only even for the file owner as recommended by security experts.

flexVDI does not use log4j2 logging library but logback, so it is NOT vulnerable to CVE-2021-44228 (aka log4shell). But a new attack family has been discovered, so logback has been hardened removing the functionality that may be vulnerable before some critical vulnerability is found, and we have included this hardened library release. This makes very unlikely that the latest logback and flexVDI are ever affected by something like log4shell.

Also this release fixes a bug: some stopped volatile guests generated by a desktop policy where not being automatically deleted, even with a “stop & delete” action in place. This happened when the guest was already stopped when the “stop” action was requested, so flexVDI Manager decided that the action had failed, and retried forever before deleting it.

flexVDI Manager is available for update running flexvdi-config command on the host where the current manager is running. Instructions are available here. Also it can be manually downloaded from portal.flexvdi.com, for servers not connected to the internet.

New resource allocation algorithm, adapted for homogeneous and also heterogeneous host sets.

The new flexVDI Manager distributes load to the physical hosts proportionally to the amount of computing reources (vCPU and vRAM) that they have available. Previous releases gave load to the host with most free available resources, which resulted in the “bigger” machines in a cluster being more loaded than “small” ones.

flexVDI installations where all the hosts have the same amount of RAM and CPUs, will not be affected by this update. flexVDI Manager will behave like always for them.

Notice:
Most flexVDI Manager updates can be performed when users are connected to the platform without being noticed.

If you have flexVDI installed on hosts with the same amounts of vRAM and vCPUS, this update is also completely safe for you. Otherwise, it is recommended that you stop most (>50%) of the guests in every flexVDI pool in your system before updating your flexVDI Manager. Resource allocation will be different with the new flexVDI Manager, which will cause automatic guest migrations, which will temporarily freeze those guests, and can cause some guests to be stopped.

flexVDI manager is available for update running flexvdi-config command on the host where the current manager is running. Instructions are available here. Also it can be manually downloaded from portal.flexvdi.com, for servers not connected to the internet.

• Bug fixed: Due to a race condition, in rare occasions a volatile desktop could be deleted without a good reason, leaving a log line like:

xxxxxxx [WARN ] [/user/DesktopReaper] 1103||An orphaned Desktop was found. Killing it||Orphaned desktop is DESKTOP_NAME-volatile-yyyyyyyy

• Desktop deletion by “inactivity actions” is faster now: The “stop & delete” action of volatile desktops caused by “inactivity actions”, now tries to be performed in one time, instead of stopping the desktop, then deleting the session 30 seconds later.

• Improved logging: problems when executing “inactivity actions” are logged with more detail now.

flexVDI manager is available for update running flexvdi-config command on the host where the current manager is running. Instructions are available here. Also it can be manually downloaded from portal.flexvdi.com, for servers not connected to the internet.

• Added more variety of emulated guest CPUs, supporting some new instruction sets to improve performance of software compiled to make use of it.
• Updated kernel and 30 more packages of the flexVDI Manager appliance.

flexVDI manager is available for update running flexvdi-config command on the host where the current manager is running. Instructions are available here. Also it can be manually downloaded from portal.flexvdi.com, for servers not connected to the internet.