Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.
As per the initial VMware Security Advisory, the specified patches should be applied for remediation. Remember, these patches remediate known issues. Definitely, watch for additional patches as exploits may continue to surface. If you are needing to patch your ESXi host per the advisory, you can do so through VMware Update Manager (VUM).
Update – VMware has removed patches to address Hypervisor-Assisted Guest Mitigation (VMSA-2018-04).
As a recap, patches have been released to address Hypervisor-Specific Remediation (VMSA-2018-02) and
Hypervisor-Assisted Guest Remediation (VMSA-2018-04). For more detail, check out this VMware KB detailing these responses.
VMware Patch Numbers for ESXi Versions (VMSA-2018-02):
- ESXi 6.5 – ESXi650-201712101-SG
- ESXi 6.0 – ESXi600-201711101-SG
- ESXi 5.5 – ESXi550-201709101-SG
- This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753
VMware Patch Numbers for ESXi Versions (VMSA-2018-04)
ESXi 6.5 – ESXi650-201801401-BG, ESXi650-201801402-BG
ESXi 6.0 – ESXi600-201801401-BG, ESXi600-201801402-BG
ESXi 5.5 – ESXi550-201801401-BG
For this example, we will be patching VMware ESXi 6.5 with patch ESXi650-201712101-SG. Additional patches can be applied in the same manner. Read the release notes or security advisories before patching as other components may need to be patched first.
Last week we discussed how to patch ESXi hosts using VMware Update Manager. However, leveraging Update Manager is not always feasible, so in this post, we’ll walk through the process of installing patches using ESXCLi commands. If you are comfortable executing ESXCLi commands, this process can be completed with relative ease.
In this instance, we will be installing a third-party (HPE iLO) VIB. If you are unfamiliar with VIBs (vSphere Installation Bundle), they are collections of files packaged for installation. VIBs are typically comprised of solutions, drivers, CIM providers or applications. VIB installations can be performed using a local or http setup. The local setup requires the VIB to be manually downloaded from the provider and subsequently uploaded your datastore. The http setup allows the VIB to be obtained from the provider’s online repository. More information on the setups can be found here. For our example, we will utilize the http setup with HPE’s online repository (vibsdepot).
Today I wanted to run through the process used to patch HP drivers on an ESXi host; specifically through Update Manager. In a vSphere 6.5 troubleshooting post, we discussed a PSOD issue stemming from a specific HP iLO driver. That being the case, it seemed fitting to go through the patch process for the affected iLO driver in this post. Despite this being a very specific patch, the general patch procedure can be applied to other driver updates as well.
Issue Background – HPE Advisory regarding Proliant servers deployed using the hpe-ilo driver version 184.108.40.206-24. VMware ESXi 6.5 host fails with a Purple Screen Diagnostic, indicating that CPU XX / World XXXXXX tried to re-acquire a lock. Resolved by upgrading the hpe-ilo driver to version 6220.127.116.11 or later.
In our instance, we will check the ESXi host(s) for the affected HP driver.
As versions of vCenter Server 6.5 are released, admins may be looking to update their environments to leverage the latest functionality and fixes. If you are at that point with your vCenter Server Appliance, don’t sweat the patch process. This update is easily performed using the vCenter Server Appliance Management Interface (VAMI) and URL patching. If you are unfamiliar with the VAMI, it is the administrative interface that allows management and monitoring of the vCenter Appliance.
If you are all too familiar with the VAMI, you may have noticed that it was missing in the 6.0 release. Fortunately, with 6.0 U1 release, VMware re-introduced the Virtual Appliance Management Interface and URL patching. URL patching will go out to the VMware Repository, check for updates, and patch the VCSA to the latest version.
Let’s walk through the process for updating vCenter 6.5 to the latest 6.5 version. This process is the same for updating to 6.5b, 6.5c, 6.5d, 6.5 U1, etc…
To start, log into the vCenter Server Appliance Management Interface (https://vcsaIP:5480).
Quick update: VMware released patches for both ESXi and vCenter 6.5 today. There are quite a few fixes we could discuss, but I will concentrate on the highlights and provide a few helpful links.
VMware ESXi 6.5, Patch ESXi-6.5.0-20170304001-standard
- UNMAP – Automated UNMAP was introduced in 6.5, but has experienced some issues relating to requests not being passed to the storage array; thus, no space reclamation. Cormac Hogan has an in-depth article on this.
- ESXi SNMP Crash – The ESXi SNMP agent was known to randomly crash which in turn reported a false host reboot alarm to the SNMP monitor.
- Snapshot Cancellation on VVols – Cancelling a snapshot whose VMDKs resided on a VVol resulted in the disks not getting rolled back properly and possible data loss.
More issues that this patch resolves found here.
vCenter Server 6.5.0b