Hi,
Can someone please point me toward a step-by-step guide for applying these security patches to a vSphere 6.7 install? I have been googling this issue since last week, and I feel like I am in a loop of information with no clear resolution on how to actually apply these patches. I have moved all of my VMs off of my first host onto other hosts with vMotion, put the host into maintenance mode. In my vSphere web interface, when I click on the Update Manager, go to Updates tab > Click Download Now (which i would assume will download the newest patches available), the list of baselines shows the newest update that I have downloaded was back on 7/12/2021. Obviously, the update manager was able to download updates back in July of this year, why is it not downloading the patches now? Shouldn't there be a new baseline with the VMSA-2021 patches showing up? What am I missing? Please see attached screenshot of my Update Manager.
If someone could just point me in the right direction to apply these patches to my vCenter server and my three ESXi hosts, I would appreciate it.
Yes Richie, that is correct.
Please refer to the VMSA documentation below:
https://www.vmware.com/security/advisories/VMSA-2021-0020.html
You can also switch to appliance shell (if already in bash shell) too using command /bin/appliancesh. If that is easier - please refer to my screenshot bellow:
Once you are inn appliance shell - you can execute the other commands for patching.
Let me know if that helps.
Sanooj AJ
Hello Richie,
VMSA-2021-0020.1 (https://www.vmware.com/security/advisories/VMSA-2021-0020.html) announcement does not affect Esxi hosts but only vCenter server (and VCF). For this reason, there are no patches released for Esxi hosts to address the vulnerabilities. If you are using vCenter server appliance 6.7, you will need to patch it to latest build to address this issue. Step by step instructions for patching the vCenter server appliance 6.7 can be found here - https://communities.vmware.com/t5/vSphere-Upgrade-Install/Step-by-step-procedure-to-update-vCenter-s...
Please follow this procedure to patch the vCenter appliance to build vCenter Appliance 6.7 Update 3o build number 18485166.
Do let let us know in case you have any further questions.
Sanooj AJ
Hello.
according to the link of VMSA-2021-0020.1
you need to download and install the vcenter server 6.7 U3o, the instructions are in the 2nd link.
attached links:
https://www.vmware.com/security/advisories/VMSA-2021-0020.html
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html
https://customerconnect.vmware.com/patch/
Just to clarify - you are saying this security advisory does not affect ESXi hosts at all? Just the vCenter Server appliance?
Yes Richie, that is correct.
Please refer to the VMSA documentation below:
https://www.vmware.com/security/advisories/VMSA-2021-0020.html
Sanooj
Thank you for the link.
I am trying to follow the instructions (https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html) that explain the upgrade process. I have attached the file as an ISO to our vCenter Server appliance, but when I try to enter the commands they are not working
Do these commands need to be entered in the application shell or a standard SSH bash session? They don't look like regular terminal commands, and since they do not work in the terminal I am thinking that I need to execute them in the application shell. However, I do not see an option to turn on/off the ESX host shell when I browse to my vCenter Server appliance in VMware.
How do I switch to the ESX shell in the vCenter Server appliance? I can successfully connect via SSH to the vCenter app, but cant seem to get the ESX shell to work.
This will need to be executed in the appliance shell of vCenter appliance itself.
Here is my suggestion - from the screenshot you shared last, keep the Bash shell disabled and ssh enabled.
Once done connect to vCenter appliance over ssh and authenticate using root and password - once you are in - execute the commands (without entering the shell) - they should work. They do not work if you enable shell once connected over ssh.
Sanooj AJ
You can also switch to appliance shell (if already in bash shell) too using command /bin/appliancesh. If that is easier - please refer to my screenshot bellow:
Once you are inn appliance shell - you can execute the other commands for patching.
Let me know if that helps.
Sanooj AJ
Sanooj
That worked! thank you so much for your help.
Hint: You can patch the VCSA trough its own management GUI (called VAMI) rather than from command line. If you point your browser to https://vcsa:5480 and log in with "root" (since 7.x also administrator@vsphere.local can be log into) there is an "Update" in the lower left menu. It let you fetch all needed from the Internet or when applied the ISO from the CDROM.
Regards,
Joerg