Hi,
I'm doing an audit of a vSphere 5 environment. How can I tell if a hypervisor is patched with certain VMware patches (I've pulled a list of most recent ones from VMware security bulletin)?
I'm looking at VUM thru vCenter and I see baselines, but no baselines groups defined. I see under Home/Scheduled tasks, VMware vSphere Update Manager Update Download & Check Notification tasks defined. Also under patch repositories it shows list of patches, but I don't know how can I see the evidence of a certain patch being installed on a hypervisor.
Can patches be applied outside VUM?
I would appreciate it if somebody please point me to the right direction.
TIA
Alex
Check the following commands.
Sample output for the command: esxupdate info -b bulletinname: | |
Id | - ESX400-200906413-BG |
Releasedate | - 2009-07-09T00:00:00-08:00 |
Vendor | - VMware, Inc. |
Summary | - Updates vmkernel iSCSI Driver |
Severity | - critical |
Category | - critical |
Installdate | - 2009-07-02T16:25:56.709691+05:30 |
Description | - This patch fixes an issue where iSCSI targets might disappear during controller fault or failover of an EqualLogic array. Currently, this issue has only been observed on EQL hardware. However it might not be specific to EQL arrays. Please see http://kb.vmware.com/kb/1012232 for more details |
Kburl | |
List of constituent VIBs: | -rpm_vmware-esx-iscsi_4.0.0-0.5.175625@i386 |
Once you have the output from the commands you could compare the same with the list you have. Hope this helps.
Thanks,
Avinash
Thank you. Unfortunately I don't have access to hypervisor console. Is there any way to accomplish this using vCenter?
you could compare the patch repository, But I think that will not be much helpful as per our requirement to find out the detailed information.
When I aksed them to run "esxcli software vib list" command I got an output like below:
Name ID AcceptanceLevel Vendor Version InstallDate ReleaseDate
ata-pata-amd VMware_bootbank_ata-pata-amd_0.3.10-3vmw.500.0.0.469512 VMwareCertified VMware 0.3.10-3vmw.500.0.0.469512 1/23/2013 8/19/2011 |
While in Update Manager\Patch Repository I get something like below:
Patch Name Product Release Date Type Severity Category Impact Vendor Patch ID
Updates Firmware embeddedEsx 4.0.0 9/30/2010 4:00:00 AM Patch Critical Other Reboot VMware, Inc. ESXi400-201009401-BG
So how can I verify a certain patch is installed (I'm using VMware's security bulletin at VMware Security Advisories (VMSAs) - United States)?
Run this command
#esxupdate query
you should get an list of output similar to what you are looking for.This command should output the patch ID which you can compare from the update manager. please let me know if your still having some trouble.
And to add further more if you want to verify if a particular patch is installed.run the below command
#esxupdate query | grep < patch name >
Eg : #esxupdate query | grep ESXi400-201009401-BG
you should get an output similar to this.
----Bulletin ID---- -----Installed----- -------------Summary-------------
ESXi400-201009401-BG 2009-07-08T18:02:49 Updates VMX
If no output then that patch is not installed.
> How can I tell if a hypervisor is patched with certain VMware patches (I've pulled a list of most recent ones from VMware security bulletin)?
Assuming you know what the ESXi host original version and build number was, probably the easiest way is to look at the build number for host from vCenter without using anything else other than websites. ESXi patches are cumulative and the build number should be the easiest way to determine the "current patch level". Selecting the ESXi host in vCenter and looking at the version and build number in the grey banner is where you will find that (if you weren't aware of that already).
If you are lucky you might be able to find that build number on the 1014508 KB article (linked below), again you might get lucky and find that build number on the Security patches KB but its perhaps not the most comprehensive list of patches.
Correlating vCenter Server and ESXi/ESX host build numbers to update levels (1014508)
http://kb.vmware.com/kb/1014508
VMware Security Patches Upgrade Guide (2019941)
http://kb.vmware.com/kb/2019941
However the above security Patches only covers the.....Security patches......and omits the bug fix patches in some cases.....so the below page is probably the most comprehensive list. Alternatively you can do a Google search for the build number you found and directly find the KB article for that patch which is also linked off the below Patches page. Just do a search for the particular version you are using.
Product Patches
https://my.vmware.com/group/vmware/patch#search
While you are there click on the "Get Net Patch Alerts" link and subscribe to patch notifications.
The other place to find information is in the Release notes for Update releases (rollup of many patches and some feature enhancements). Check out the "Patches Contained in this Release" on the specific Release notes page. e.g. ESXi 5.1 Update 1 Release Notes
You can find the specific release notes for the version you are using on the vSphere doco page just select your specific version on the drop down. Its also worth checking out the Upgrade processing information on the Release notes and within the Upgrade Guide on that same page.
Keep in mind when looking at Patch KB articles there are two types.
But its easier and more efficient alternatives would be:
> Can patches be applied outside VUM?
Yep a few ways
Ok thanks...So I have the hypervisor build document from VM admin team stating it is VMware ESXi 5.0 Update 2 Build 914586. Then it shows the following:
Does it mean 914586 includes the following patches already or these patches need to be installed in addition? How do I know which patches are already included in build
914586? I was not able to get this information from the links you had provided.
Vendor | Patch ID | Severity | Category |
VMware, Inc. | ESXi500-201112405-BG | Low | BugFix |
VMware, Inc. | ESXi500-201203203-UG | Important | BugFix |
VMware, Inc. | ESXi500-201203204-UG | Important | Enhancement |
VMware, Inc. | ESXi500-201203206-UG | Important | BugFix |
VMware, Inc. | ESXi500-201203208-UG | Important | BugFix |
VMware, Inc. | ESXi500-201203209-UG | Important | BugFix |
VMware, Inc. | ESXi500-201203210-UG | Important | BugFix |
VMware, Inc. | ESXi500-201203211-UG | Important | BugFix |
VMware, Inc. | ESXi500-201207403-UG | Important | BugFix |
VMware, Inc. | ESXi500-201207406-UG | Important | BugFix |
VMware, Inc. | ESXi500-Update01 | Critical | BugFix |
VMware, Inc. | ESXi500-201212202-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212204-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212205-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212206-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212207-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212208-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212209-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212210-UG | Important | BugFix |
VMware, Inc. | ESXi500-201212211-UG | Important | BugFix |
VMware, Inc. | ESXi500-Update02 | Critical | BugFix |
VMware, Inc. | ESXi500-201303402-BG | Important | BugFix |
VMware, Inc. | ESXi500-201303401-BG | Important | BugFix |
Looking at the above list you seem to have Bugfixes but I would expect to see at least as many security fixes as well. You might want to double check that list and loop those in as well.
Its my understanding that each subsequent build number within the same version (i.e. 5.0 is a different stream to 5.1, 4.0, and 4.1) is cumulative in its fixes within the patches (You'd hope that is true but I guess there is a slight chance that subsequent fixes could inadvertently undo prior efforts). Unfortunately I'm not aware of any way of seeing a list of fixes (bug or security) from one old build number (with its patches) to the a new (with its patches) without individually going into each patch KB article within a release and reviewing it manually.
This is where the KB articles for the Patch Release and the Patches themselves comes into it. You just need to track down those KBs for the Patches you've listed above (plus any extra Security patches)......I provided examples of those KBs above so that once you had the list you have you would know what you are looking for.
If there is a better way with publicly available information I'm not aware of it. If you have a TAM or support contract you might be able to request a collated list of patches with their list of issues fixed between one build number and the next. But that is pure conjecture spiced with a bit of laziness.... 😉