VMware Cloud Community
stanj
Enthusiast
Enthusiast
‎04-21-2014 04:37 AM

HeartBleed patch for build 1331820?

So, I see the heartbleed patches were released for ESXi - 2 of them...

Looking through readme files, i do not see which parch I need to apply to out ESXi 5.5 1331820?

Do I first need to upgrade to a new release then apply one of the two patches?

thanks

0 Kudos
15 Replies
a_p_
Leadership
Leadership
‎04-21-2014 05:04 AM

The two versions are basically meant for ESXi 5.5 without Update1, and ESXi 5.5 with Update 1. Please take a look at http://kb.vmware.com/kb/2076665 for details. IMO one of the main reasons for "ESXi550-201404020" is most likely the NFS issue explained in the KB.


André

0 Kudos
stanj
Enthusiast
Enthusiast
‎04-21-2014 05:44 AM

I read the KB.

Under the second bullet.

in the "hosts patched with...."

I do not see anything about build 1331820, only 2013xxxxx and 2014xxxxxx


Since i am at 1331820, do I need to update to a new 5.5 release to apply one of these patches.

0 Kudos
a_p_
Leadership
Leadership
‎04-21-2014 05:55 AM

The different naming conventions can really be confusing. Anyway, the build number you mentioned is the one from the GA (unpatched) release.

Since the patches are cumulative, there's nothing you need to install prior to applying one of these patches.

André

0 Kudos
vNEX
Expert
Expert
‎04-21-2014 06:59 AM

Hi Stan,

I understand it like this (regarding to VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160 😞

A) Everyone with ESXi 5.5 GA build: 1331820 and others with images listed below (ie. all non-Update 1 Hosts: All hosts under Build Number: 1623387) should apply this patch:

     VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404020

  • ESXi 5.5.0 hosts
  • ESXi 5.5.0 hosts patched with ESXi550-201312101-SG bulletin that contains VMware_bootbank_esx-base_5.5.0-0.7.1474526.vib.
  • ESXi 5.5.0 hosts patched with ESXi550-201312401-BG bulletin that contains VMware_bootbank_esx-base_5.5.0-0.7.1474528.vib.
  • ESXi 5.5.0 hosts patched with ESXi550-201403101-SG bulletin that contains VMware_bootbank_esx-base_5.5.0-0.14.1598313.vib.
  • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131201001s-standard image profile that contains VMware_bootbank_esx-base_5.5.0-0.7.1474526.vib.
  • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131201001s-no-tools image profile that contains VMware_bootbank_esx-base_5.5.0-0.7.1474526.vib.
  • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131204001-standard image profile that contains VMware_bootbank_esx-base_5.5.0-0.7.1474526.vib.
  • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131204001-no-tools image profile that contains VMware_bootbank_esx-base_5.5.0-0.7.1474526.vib.
  • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20140301001s-standard image profile that contains VMware_bootbank_esx-base_5.5.0-0.14.1598313.vib.
  • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20140301001s-no-tools image profile that contains VMware_bootbank_esx-base_5.5.0-0.14.1598313.vib.

Next you should do this:

After applying VMware ESXi 5.5, Patch Release ESXi550-201404020 on ESXi 5.5 hosts, you should only patch your systems with VMware ESXi 5.5, Patch Release ESXi550-201404001 to update your hosts with all bug fixes that were provided with ESXi 5.5 Update 1.

B) Everyone with ESXi 5.5 Update 1 already installed (all host with Build Number: 1623387 and above) should apply only this patch:

     VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404001

And dont forget to follow this instructions:

Post installation instructions:

After installing the above-mentioned patches accordingly,  you need to perform certificate revocation/replacement and change the passwords.

Regards,

Petr

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
stanj
Enthusiast
Enthusiast
‎04-21-2014 07:07 AM

I agree on the confusing,,

Especially with the word not highlighted and the word only used!

Throw in Note: at the end and it yet requires more deducing.

So, I can apply ESXi550-20140400 to our 1331820 build  even though bullet 1 says " ESXi 5.5 Update 1 hosts should only be patched with this patch".



0 Kudos
a_p_
Leadership
Leadership
‎04-21-2014 07:22 AM

This is what I understand:

  • if you are already on ESXi 5.5 Update 1, only use "ESXi550-201404001"
  • if you are on a previous build, you can use either "ESXi550-201404020" or "ESXi550-201404001".

One of the reasons not to patch a current non-Update 1 host to Update 1 is the NFS issue mentioned in the KB.


André


0 Kudos
vNEX
Expert
Expert
‎04-21-2014 08:04 AM

For better understanding there should be some patching Flowchart in KB 2076665, because maybe is little bit tricky and confusing but

I can see it quite clearly:

1. If you are on a previous (non-U1) build, you have to patch your host with both patches in this order (If you want to go for fixed Complete Update 1 release😞

FIRST - VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404020

SECOND - VMware KB: VMware ESXi 5.5, Patch Release ESXi550-201404001


If you want just address and resolve OpenSSL Heartbleed issue without step to U1 install only "ESXi550-201404020"


KB2076665 Notes:

Note: After you have patched your ESXi hosts with VMware ESXi 5.5, Patch Release ESXi550-201404020, you should not upgrade your hosts to ESXi 5.5 Update 1 as the hosts will again we vulnerable to the OpenSSL Heartbleed issue.After applying VMware ESXi 5.5, Patch Release ESXi550-201404020 on ESXi 5.5 hosts, you should only patch your systems with VMware ESXi 5.5, Patch Release ESXi550-201404001 to update your hosts with all bug fixes that were provided with ESXi 5.5 Update 1.

And for me the main reason/recommendation not to patch a current non-Update 1 hosts to Update 1 applies only for those who already  installed "ESXi550-201404020" because  installing U1 release on them makes again those host be vulnerable to OpenSSL Heartbleed issue.


As I understand the only right way to go for ESXi 5.5 Update 1 is path I mentioned above = bypass VMware KB: VMware ESXi 5.5, Patch ESXi550-Update01: ESXi 5.5 Complete Update 1 and install "ESXi550-201404020" first and then "ESXi550-201404001 (which contains fixed U1 image)".


P.

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
stanj
Enthusiast
Enthusiast
‎04-22-2014 03:42 AM

I will be applying the ESXi patches today.

For vCenter, what version is required -- there is a U1 and a C

thanks

0 Kudos
a_p_
Leadership
Leadership
‎04-22-2014 10:32 AM

Why not go to the latest version if you patch it anyway. I updated the Windows based vCenter Server in my office to Update 1a.

André

0 Kudos
stanj
Enthusiast
Enthusiast
‎04-22-2014 12:42 PM

Why was there a "c" released? '

It looks like the same release date as 1a..

0 Kudos
a_p_
Leadership
Leadership
‎04-22-2014 12:47 PM

I guess there may be reasons (compliance, ...) in some cases, where an ugrade to Update1a cannot be done without planning, but the patch needs to be applied anyway.

André

0 Kudos
vNEX
Expert
Expert
‎04-24-2014 12:22 PM

5.5.0c - address and resolves Heartbleed issue for all pre Update 1 vCenter releases (5.5 GA; 5.5.0a ; 5.5.0b)

5.5U1a - do the same only for vCenter 5.5 Update 1

vCenter5.5.PNG

If you have pre U1 build and want Update 1 go directly for 5.5 U1a (1750787).

VMware KB: Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5

Check also latest Security Advisory for other products it is continuously updated (Updated on: 2014-04-22)

VMSA-2014-0004.7 | United States


P.

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
Gav0
Hot Shot
Hot Shot
‎04-25-2014 05:59 AM

a.p. wrote:

Why not go to the latest version if you patch it anyway. I updated the Windows based vCenter Server in my office to Update 1a.

André

This was my initial reaction but as it turns out Netapp have not updated their IMT to include 5.5 update 1. We are currently on 5.5 but we need to be sure our production environment is in a fully supported configuration with all our vendors - in the case of Netapp the DataOntap version and the VSC compatability are very important.

For this reason I will be ugrading vCenter to 5.5.c and ESXi to ESXi550-201404020.

I hope this help to answer your question stanj  about why both versions were released.

Please award points to your peers for any correct or helpful answers
0 Kudos
stanj
Enthusiast
Enthusiast
‎04-25-2014 06:23 AM

thanks for the info.

I applied 5.5.0-1750795-20140201-update01 and ESXi550-201404020 / ESXi550-201404001.


Nessus scan showed all clear.

0 Kudos
vNEX
Expert
Expert
‎04-26-2014 02:14 PM

New valuable content for this issue was published:

Posted on April 25, 2014 by Rick Blythe:

Patching ESXi 5.5 for Heartbleed without installing Update 1 | VMware Support Insider - VMware Blogs

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos