VMware Cloud Community
Denpiero08
Contributor
Contributor
‎09-27-2021 08:38 AM

VCF 4.1.0.1 and 4.2.1 with KB85718 or 85717

VCF 4.1.0.1 and 4.2.1 are being used by 2 of my customers. According to VMSA-2021-0020, If they are unable to upgrade their vCenter version to 7.0 U2d as described in KB85718 (Subject workaround). Is it possible for them to use the KB85717 workaround for vCenter server?

Reply
0 Kudos
7 Replies
baijup
VMware Employee
VMware Employee
‎09-27-2021 11:05 AM

@Denpiero08 Thanks for posting the question. Yes, they can apply the workaround mentioned in KB85717. Please note, this KB applies workaround for only one Vulnerability (CVE-2021-22005 - Critical one). There are other CVEs in VMSA-2021-0020, which does not have workarounds and patching is the only option to cover all vulnerabilities.

Below statement is mentioned in KB85717

"For customers running VCF, the workaround is required to be applied to all the vCenter systems running in your environment -- in both the management and all workload domains. "

Hope it helps, let us know if any more information required.

Thanks

Reply
Denpiero08
Contributor
Contributor
‎09-27-2021 05:07 PM

@baijup Thank you for taking the time to respond.

1. Fixed version = VCF 4.2.1 -> VCF 4.3.1 (Correct me if I'm wrong).
   Fixed version = VCF 4.1.0.1 -> 4.2.1 -> VCF 4.3.1 (Correct me if I'm wrong).

2 . Is it possible to do the same for VCF on VxRail?

3. If the customer uses the workaround from KB85717, they will want to use the workaround from KB85718 in the next two weeks. Do they need to delete the comment from ph-web.xml before applying KB85718 or can they just apply the patch?

I appreciate your response.

 

Reply
0 Kudos
baijup
VMware Employee
VMware Employee
‎09-28-2021 04:15 PM

@Denpiero08 For question 1, following documents will help if you are looking for more information on the upgrade path :

https://docs.vmware.com/en/VMware-Cloud-Foundation/4.3/vcf-lifecycle/GUID-2E68DD66-94F2-4BAB-9272-C8...
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.3/vcf-lifecycle/GUID-C82BB0D4-FD52-4CC9-A6BB-3A...

Question 2, I think it will be same. But, I recommend to get it clarified from Dell

Question 3, No need to delete the comment from ph-web.xml file, they can directly apply the patch.

Let us know if any additional questions.

Thanks

Reply
Denpiero08
Contributor
Contributor
‎09-28-2021 05:00 PM

They intend to implement step KB85717 first and then schedule downtime to implement KB85718 for both VCF and non-VCF environments. Thank you for the clarification.

Reply
0 Kudos
Denpiero08
Contributor
Contributor
‎09-29-2021 05:38 AM

@baijup VCF 4.2 is being used by my customer. They have a total of five vCenter Servers (Management, Production, DMZ, TEST, DEV). They intend to use KB85718.
1. Can they apply for each vCenter server on a weekly basis, or do they have to apply on the same day?
2. Following the instructions in KB85718, we must apply for the first vCenter server. Then the next vCenter Server will have to repeat the process from the beginning to the end?

Reply
0 Kudos
baijup
VMware Employee
VMware Employee
‎09-29-2021 07:03 AM

@Denpiero08 Please find below updates :

1. Can they apply for each vCenter server on a weekly basis, or do they have to apply on the same day?

Technically Yes, can be done on a weekly basis. But, there is a catch, as all these vCenter Servers are in Enhanced Linked Mode, ideally we will have to follow below approach to take snapshots before patching:

  • Take offline snapshot of all vCenter Server in ELM
  • Patch the vCenter Servers
  • In case patching of any vCenter Server fails, we will have to revert all the VCs to snapshot as reverting only one vCenter Server will break the VMDIR Service replication between the vCenter Servers

So, it will be tough to manage if we go for patching on weekly basis. But, it is feasible to do with below approach:

Week - 1

  • Take offline snapshot of all 5 VCs
  • Patch VC1
  • Take snapshot of SDDC Manager
  • Follow the steps in KB85718 for VC1
  • Delete the snapshots post successful completion of VC1 patching

Week-2

  • Take offline snapshot of all 5 VCs
  • Patch VC2
  • Take snapshot of SDDC Manager
  • Follow the steps in KB85718 for VC2
  • Delete the snapshots post successful completion of VC1 patching

And, so on for remaining 3 VCs.


2. Following the instructions in KB85718, we must apply for the first vCenter server. Then the next vCenter Server will have to repeat the process from the beginning to the end?

Yes, when patching is complete for one vCenter Server, steps mentioned in the KB needs to be followed to update the new VC patch details in SDDC, scripted method mentioned in KB "Alternatively: STEP2 and STEP3 can be executed via automated script as follows " will be easy to do.

 

One additional point to add if following this KB85718. As mentioned in Impact / Risks section of KB 85718 (pasted below), after applying the steps in this KB, Skip level Upgrade process needs to be followed to upgrade to 4.3.1 at later point in time.


"After applying the vCenter Server 7.0 Update 2d on your VCF 4.1, 4.1.0.1, 4.2, 4.2.1, or 4.3 environment using the procedure below, the supported upgrade path is to VCF 4.3.1 using Skip Upgrade from SDDCManager UI."

 

Reply
0 Kudos
Denpiero08
Contributor
Contributor
‎09-30-2021 07:27 PM

@baijup Allow me to summarize.

As a result, you propose applying KB85718 in one go for both VCF and non-VCF vCenter Servers (Especially in Enhanced Linked Mode).

VCF with five VCs.
-Take a snapshot of all vCenter servers as a first step.
- 1st VC -> KB85718 -> patch 7.0 u2d (update the 1st VC patch details in SDDC)
- 2nd VC -> KB85718 -> patch 7.0 u2d (update the 2nd VC patch details in SDDC)
- 3rd VC -> KB85718 -> patch 7.0 u2d (update the 3rd VC patch details in SDDC)
- 4th VC -> KB85718 -> patch 7.0 u2d (update the 4th VC patch details in SDDC)
- 5th VC -> KB85718 -> patch 7.0 u2d (update the 5th VC patch details in SDDC)

Reply
0 Kudos