VMSA-2024-0006 Async Patch Tool Offline Remediation Steps
search cancel

VMSA-2024-0006 Async Patch Tool Offline Remediation Steps

book

Article ID: 314650

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Consolidated offline Async Patching steps to remediate the VMSA-2024-0006 vulnerability for VCF 4.x and 5.x environments.

Symptoms:
Multiple vulnerabilities in VMware ESXi affecting VCF 4.x and VCF 5.x are outlined in VMSA-2024-0006

Environment

VMware Cloud foundation 5.x
VMware Cloud Foundation 4.x

Resolution

Please note the following:

  • The entire AP Tool operation must be run as the vcf user.
  • Enabling ESXi 8.0U1d patch will also update SDDC Manager services on VCF 5.0.0.0
  • Enabling ESXi 7.0U3p patch will also update SDDC Manager services on VCF 4.4.0.0, 4.4.1.1, 4.5.0.0 and 4.5.1.0
  • Additional bundles may be downloaded during the bundle download process. 

Download the latest Async Patch Tool to a computer that has access to the internet and the SDDC Manager appliance.

  1. Log in to VMware Customer Connect
  2. Navigate to the Async Patch Download: Products and Accounts > All Products > VMware Cloud Foundation > VMware Cloud Foundation Tools > Drivers & Tools > Async Patch Tool > GO TO DOWNLOADS > DOWNLOAD NOW
  3. Extract vcf-async-patch-tool-<version>.tar.gz.
  4. Navigate to vcf-async-patch-tool-<version>/bin and confirm that you have execute permissions.
  5. Run the download from the AP Tool.

    If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.

    4.x Linux:

    ./vcf-async-patch-tool -d --patch ESX_HOST:7.0.3-23307199 --du customer_connect_email


    4.x Windows:

    vcf-async-patch-tool.bat -d --patch ESX_HOST:7.0.3-23307199 --du customer_connect_email


    5.x Linux:
    ESXi 8.0 U1d:

    ./vcf-async-patch-tool -d --patch ESX_HOST:8.0.1-23299997 --du customer_connect_email

    ESXi 8.0 U2b:

    ./vcf-async-patch-tool -d --patch ESX_HOST:8.0.2-23305546 --du customer_connect_email


    5.x Windows:
    ESXi 8.0 U1d:

    vcf-async-patch-tool.bat -d --patch ESX_HOST:8.0.1-23299997 --du customer_connect_email

    ESXi 8.0 U2b:

    ./vcf-async-patch-tool -d --patch ESX_HOST:8.0.2-23305546 --du customer_connect_email

     

  6. SSH into the SDDC Manager using the vcf user account and create the following directory:

    mkdir /nfs/vmware/vcf/nfs-mount/apToolBundles
    
  7. Copy the patch and set permissions.

    a. Copy the entire output directory from the local computer (for example, apToolBundles) to the SDDC Manager appliance.



    b. SSH in to the SDDC Manager appliance using the vcf user account.
    c. Update the permissions on the apToolBundle directory.

    chmod -R 755 /nfs/vmware/vcf/nfs-mount/apToolBundles && chown -R vcf:vcf /nfs/vmware/vcf/nfs-mount/apToolBundles
    
  8. Copy the Async Patch Tool to the SDDC Manager appliance and configure it for use.

    a. SSH in to the SDDC Manager appliance using the vcf user account.
    Note:If an existing or older version of the Async Patch Tool exists in the directory, you will need to remove these files before downloading the latest version of the Async Patch Tool.

    rm -r /home/vcf/asyncPatchTool

    b. Create the asyncPatchTool directory.

    mkdir /home/vcf/asyncPatchTool

    c. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) that you downloaded in step 1 to the /home/vcf/asyncPatchTool directory.

    d. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz.

    cd /home/vcf/asyncPatchTool
    tar -xvf vcf-async-patch-tool-1.1.0.2.tar.gz
    

    e. Set the permissions for the asyncPatchTool directory.

    chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool
    
    
  9. Take a snapshot of the SDDC Manager VM

  10. Enable the async patch with the relevant command below:

    4.x VMware Cloud Foundation:

    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:7.0.3-23307199 --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE

    5.x VMware Cloud Foundation:

    ESXi 8.0 U1d:

    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:8.0.1-23299997 --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE

    ESXi 8.0 U2b:

    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:8.0.2-23305546 --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE

     

  11. Log in to the SDDC Manager UI and apply the async patch to all workload domains

  12. After the async patch is successfully applied, use the Async Patch Tool to deactivate the patch.

    a. SSH in to the SDDC Manager appliance using the vcf user account.
    b. Run the following command and complete prompts:

    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf



Additional Information