VMware Cloud Community
Richie086
Contributor
Contributor
‎09-27-2021 10:41 AM
Jump to solution

How do I actually apply the VMSA-2021 Patches to 6.7?

Hi,

Can someone please point me toward a step-by-step guide for applying these security patches to a vSphere 6.7 install?   I have been googling this issue since last week, and I feel like I am in a loop of information with no clear resolution on how to actually apply these patches.   I have moved all of my VMs off of my first host onto other hosts with vMotion, put the host into maintenance mode.   In my vSphere web interface, when I click on the Update Manager, go to Updates tab > Click Download Now (which i would assume will download the newest patches available), the list of baselines shows the newest update that I have downloaded was back on 7/12/2021.    Obviously, the update manager was able to download updates back in July of this year, why is it not downloading the patches now?   Shouldn't there be a new baseline with the VMSA-2021 patches showing up?   What am I missing?    Please see attached screenshot of my Update Manager.  

If someone could just point me in the right direction to apply these patches to my vCenter server and my three ESXi hosts, I would appreciate it.

 

 
 

 

 

Labels (3)
Preview file
168 KB
0 Kudos
2 Solutions

Accepted Solutions
Sanooj_aj
VMware Employee
VMware Employee
‎09-27-2021 11:53 AM
Jump to solution

Yes Richie, that is correct.

Please refer to the VMSA documentation below:

https://www.vmware.com/security/advisories/VMSA-2021-0020.html

 

1. Impacted Products
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

 

View solution in original post

Sanooj_aj
VMware Employee
VMware Employee
‎09-27-2021 02:58 PM
Jump to solution

You can also switch to appliance shell (if already in bash shell) too using command /bin/appliancesh. If that is easier - please refer to my screenshot bellow:

 

Sanooj_aj_0-1632779873352.png

 Once you are inn appliance shell - you can execute the other commands for patching. 

 

Let me know if that helps. 

 

Sanooj AJ

View solution in original post

9 Replies
Sanooj_aj
VMware Employee
VMware Employee
‎09-27-2021 10:56 AM
Jump to solution

Hello Richie,

VMSA-2021-0020.1 (https://www.vmware.com/security/advisories/VMSA-2021-0020.html announcement does not affect Esxi hosts but only vCenter server (and VCF). For this reason, there are no patches released for Esxi hosts to address the vulnerabilities.  If you are using vCenter server appliance 6.7, you will need to patch it to latest build to address this issue. Step by step instructions for patching the vCenter server appliance 6.7 can be found here - https://communities.vmware.com/t5/vSphere-Upgrade-Install/Step-by-step-procedure-to-update-vCenter-s... 

 

Please follow this procedure to patch the vCenter appliance to build vCenter Appliance 6.7 Update 3o build number 18485166.

 

Do let let us know in case you have any further questions. 

 

Sanooj AJ

e_espinel
Virtuoso
Virtuoso
‎09-27-2021 11:05 AM
Jump to solution

Hello.
according to the link of VMSA-2021-0020.1
you need to download and install the vcenter server 6.7 U3o, the instructions are in the 2nd link.
attached links:
https://www.vmware.com/security/advisories/VMSA-2021-0020.html


https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html

 

https://customerconnect.vmware.com/patch/

 

 

Enrique Espinel
Senior Technical Support on IBM, Lenovo, Veeam Backup and VMware vSphere.
VSP-SV, VTSP-SV, VTSP-HCI, VTSP
Please mark my comment as Correct Answer or assign Kudos if my answer was helpful to you, Thank you.
Пожалуйста, отметьте мой комментарий как Правильный ответ или поставьте Кудо, если мой ответ был вам полезен, Спасибо.
0 Kudos
Richie086
Contributor
Contributor
‎09-27-2021 11:49 AM
Jump to solution

Just to clarify - you are saying this security advisory does not affect ESXi hosts at all?   Just the vCenter Server appliance?   

0 Kudos
Sanooj_aj
VMware Employee
VMware Employee
‎09-27-2021 11:53 AM
Jump to solution

Yes Richie, that is correct.

Please refer to the VMSA documentation below:

https://www.vmware.com/security/advisories/VMSA-2021-0020.html

 

1. Impacted Products
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

 

Richie086
Contributor
Contributor
‎09-27-2021 02:42 PM
Jump to solution

Sanooj

Thank you for the link.   

I am trying to follow the instructions (https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html) that explain the upgrade process.   I have attached the file as an ISO to our vCenter Server appliance, but when I try to enter the commands they are not working

  1. Attach the VMware-vCenter-Server-Appliance-6.7.0.50000-18485166-patch-FP.iso​ file to the vCenter Server Appliance CD or DVD drive.
  2. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:
    • To stage the ISO:
      software-packages stage --iso
    • To see the staged content:
      software-packages list --staged
    • To install the staged rpms:
      software-packages install --staged

 

Do these commands need to be entered in the application shell or a standard SSH bash session?   They don't look like regular terminal commands, and since they do not work in the terminal I am thinking that I need to execute them in the application shell.   However, I do not see an option to turn on/off the ESX host shell when I browse to my vCenter Server appliance in VMware.   

Richie086_0-1632778837326.png

 

How do I switch to the ESX shell in the vCenter Server appliance?   I can successfully connect via SSH to the vCenter app, but cant seem to get the ESX shell to work.    

 

0 Kudos
Sanooj_aj
VMware Employee
VMware Employee
‎09-27-2021 02:52 PM
Jump to solution

This will need to be executed in the appliance shell of vCenter appliance itself. 

Here is my suggestion - from the screenshot you shared last, keep the Bash shell disabled and ssh enabled. 

Once done connect to vCenter appliance over ssh and authenticate using root and password - once you are in - execute the commands (without entering the shell) - they should work. They do not work if you enable shell once connected over ssh. 

Sanooj AJ

 

 

0 Kudos
Sanooj_aj
VMware Employee
VMware Employee
‎09-27-2021 02:58 PM
Jump to solution

You can also switch to appliance shell (if already in bash shell) too using command /bin/appliancesh. If that is easier - please refer to my screenshot bellow:

 

Sanooj_aj_0-1632779873352.png

 Once you are inn appliance shell - you can execute the other commands for patching. 

 

Let me know if that helps. 

 

Sanooj AJ

Richie086
Contributor
Contributor
‎09-27-2021 03:33 PM
Jump to solution

Sanooj

 

That worked!   thank you so much for your help.

 

 

0 Kudos
IRIX201110141
Champion
Champion
‎09-27-2021 11:51 PM
Jump to solution

Hint:  You can patch the VCSA trough its own management GUI (called VAMI) rather than from command line. If you point your browser to https://vcsa:5480 and log in with "root" (since 7.x also administrator@vsphere.local can be log into) there is an "Update" in the lower left menu. It let you fetch all needed from the Internet or when applied the ISO from the CDROM.

Regards,
Joerg