VMware Cloud Community
virtualkitten
Enthusiast
Enthusiast

Patching security vulnerabilities in standalone ESXi 5.0/5.5 vSpehere

Hi,

This should a simple one but I would like to get some information from the experienced administrators and users here, and yes... I did search about the topic already but most of the documentation points to the official way of using vCenter and some other tools that require vCenter Smiley Sad

As you all know there are several vulnerabilities affecting VMWare ESXi hosts, some remotely exploitable... with the information I have to patch an ESXi host you could do

esxcli software vib update -d ="PATH_TO_THE_PATCH.ZIP"

That should be everything according to this VMware KB: Installing patches on an ESXi 5.x host from the command line however, when I list esxcli vib list, I do not see my patches there... and the process shows "install vibs: none", if I do "install" instead of update then it shows lot of vibs to install/update but nothing related to the security patch.

Let's say I want to apply a patch, so I go to find it http://i.imgur.com/TU8hcu1.png next step would be downloading the patch http://i.imgur.com/moteMeL.png into the HOST which can be done in many ways. Once you have the patch you just put the host in maintenance mode and run the esxcli command to update the patch.

Is the above correct, I am doing something wrong, some risk involved ? shall I be using install instead of update ?

I need to update some ESXi 5.0 and 5.5 hosts but I do not have them in a cluster,etc. So if something happens to the host and it does not boot again restoring the vm's will take lot of time.

Any comment will be appreciated, all constructive and destructive comments are welcome, thanks in advance

Reply
0 Kudos
4 Replies
DavoudTeimouri
Virtuoso
Virtuoso

You should use this command for installing ESXi patches: esxcli software vib install -d {Full path of the offline file}

Also you can revert back to your previous version after patching: VMware KB: Reverting to a previous version of ESXi

-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/
virtualkitten
Enthusiast
Enthusiast

I was not aware of that rollback process, it is reliable, does the system store data to be able to revert to a previous version before patching ?

Also, what is the different between "update" and "install", for patching ? Reading the documentation I would say "update" should be the way, however, does it work or is it really install the recommended mechanism ?

thanks for your response, if anyone else wants to add any other comment or ways to patch using other tools (not vCenter) it will help.

Reply
0 Kudos
DavoudTeimouri
Virtuoso
Virtuoso

Hi,

When you use "update", installed VIB files will be upgraded and no new VIB can be installed.

But by using "install", new VIB will be installed and existing VIBs will be upgraded or downgraded.

You can user vCLI and PowerCLI for patching your servers without using vCenter.

-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/
Reply
0 Kudos
virtualkitten
Enthusiast
Enthusiast

On the link you sent you can read:

Current hypervisor will permanently be replaced
with build: X.X.X-XXXXXX. Are you sure? [Y/n]


If what you did is just a patch, that still applies ? I think that is VERY WRONG, like... I want to rollback a patch not the whole Hypervisor, I am misunderstanding something ?


Reply
0 Kudos