So, I see the heartbleed patches were released for ESXi - 2 of them...
Looking through readme files, i do not see which parch I need to apply to out ESXi 5.5 1331820?
Do I first need to upgrade to a new release then apply one of the two patches?
thanks
The two versions are basically meant for ESXi 5.5 without Update1, and ESXi 5.5 with Update 1. Please take a look at http://kb.vmware.com/kb/2076665 for details. IMO one of the main reasons for "ESXi550-201404020" is most likely the NFS issue explained in the KB.
André
I read the KB.
Under the second bullet.
in the "hosts patched with...."
I do not see anything about build 1331820, only 2013xxxxx and 2014xxxxxx
Since i am at 1331820, do I need to update to a new 5.5 release to apply one of these patches.
The different naming conventions can really be confusing. Anyway, the build number you mentioned is the one from the GA (unpatched) release.
Since the patches are cumulative, there's nothing you need to install prior to applying one of these patches.
André
Hi Stan,
I understand it like this (regarding to VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160 😞
A) Everyone with ESXi 5.5 GA build: 1331820 and others with images listed below (ie. all non-Update 1 Hosts: All hosts under Build Number: 1623387) should apply this patch:
VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404020
Next you should do this:
After applying VMware ESXi 5.5, Patch Release ESXi550-201404020 on ESXi 5.5 hosts, you should only patch your systems with VMware ESXi 5.5, Patch Release ESXi550-201404001 to update your hosts with all bug fixes that were provided with ESXi 5.5 Update 1.
B) Everyone with ESXi 5.5 Update 1 already installed (all host with Build Number: 1623387 and above) should apply only this patch:
VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404001
And dont forget to follow this instructions:
Post installation instructions:
After installing the above-mentioned patches accordingly, you need to perform certificate revocation/replacement and change the passwords.
Regards,
Petr
I agree on the confusing,,
Especially with the word not highlighted and the word only used!
Throw in Note: at the end and it yet requires more deducing.
So, I can apply ESXi550-20140400 to our 1331820 build even though bullet 1 says " ESXi 5.5 Update 1 hosts should only be patched with this patch".
This is what I understand:
One of the reasons not to patch a current non-Update 1 host to Update 1 is the NFS issue mentioned in the KB.
André
For better understanding there should be some patching Flowchart in KB 2076665, because maybe is little bit tricky and confusing but
I can see it quite clearly:
1. If you are on a previous (non-U1) build, you have to patch your host with both patches in this order (If you want to go for fixed Complete Update 1 release😞
FIRST - VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404020
SECOND - VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404001
If you want just address and resolve OpenSSL Heartbleed issue without step to U1 install only "ESXi550-201404020"
KB2076665 Notes:
Note: After you have patched your ESXi hosts with VMware ESXi 5.5, Patch Release ESXi550-201404020, you should not upgrade your hosts to ESXi 5.5 Update 1 as the hosts will again we vulnerable to the OpenSSL Heartbleed issue.After applying VMware ESXi 5.5, Patch Release ESXi550-201404020 on ESXi 5.5 hosts, you should only patch your systems with VMware ESXi 5.5, Patch Release ESXi550-201404001 to update your hosts with all bug fixes that were provided with ESXi 5.5 Update 1.
And for me the main reason/recommendation not to patch a current non-Update 1 hosts to Update 1 applies only for those who already installed "ESXi550-201404020" because installing U1 release on them makes again those host be vulnerable to OpenSSL Heartbleed issue.
As I understand the only right way to go for ESXi 5.5 Update 1 is path I mentioned above = bypass VMware KB: VMware ESXi 5.5, Patch ESXi550-Update01: ESXi 5.5 Complete Update 1 and install "ESXi550-201404020" first and then "ESXi550-201404001 (which contains fixed U1 image)".
P.
I will be applying the ESXi patches today.
For vCenter, what version is required -- there is a U1 and a C
thanks
Why not go to the latest version if you patch it anyway. I updated the Windows based vCenter Server in my office to Update 1a.
André
Why was there a "c" released? '
It looks like the same release date as 1a..
I guess there may be reasons (compliance, ...) in some cases, where an ugrade to Update1a cannot be done without planning, but the patch needs to be applied anyway.
André
5.5.0c - address and resolves Heartbleed issue for all pre Update 1 vCenter releases (5.5 GA; 5.5.0a ; 5.5.0b)
5.5U1a - do the same only for vCenter 5.5 Update 1
If you have pre U1 build and want Update 1 go directly for 5.5 U1a (1750787).
VMware KB: Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5
Check also latest Security Advisory for other products it is continuously updated (Updated on: 2014-04-22)
VMSA-2014-0004.7 | United States
P.
a.p. wrote:
Why not go to the latest version if you patch it anyway. I updated the Windows based vCenter Server in my office to Update 1a.
André
This was my initial reaction but as it turns out Netapp have not updated their IMT to include 5.5 update 1. We are currently on 5.5 but we need to be sure our production environment is in a fully supported configuration with all our vendors - in the case of Netapp the DataOntap version and the VSC compatability are very important.
For this reason I will be ugrading vCenter to 5.5.c and ESXi to ESXi550-201404020.
I hope this help to answer your question stanj about why both versions were released.
thanks for the info.
I applied 5.5.0-1750795-20140201-update01 and ESXi550-201404020 / ESXi550-201404001.
Nessus scan showed all clear.
New valuable content for this issue was published:
Posted on April 25, 2014 by Rick Blythe:
Patching ESXi 5.5 for Heartbleed without installing Update 1 | VMware Support Insider - VMware Blogs