VMSA-2024-0006 Async Patch Tool Online Remediation Steps
search cancel

VMSA-2024-0006 Async Patch Tool Online Remediation Steps

book

Article ID: 314651

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Consolidated Async Patching steps to remediate the VMSA-2024-0006 vulnerability for VCF 4.x and 5.x environments.

Symptoms:
Multiple vulnerabilities in VMware ESXi affecting VCF 4.x and VCF 5.x are outlined in VMSA-2024-0006

Environment

VMware Cloud Foundation 5.x
VMware Cloud Foundation 4.x

Resolution

Please note the following:

  • The entire AP Tool operation must be run as the vcf user.
  • Enabling ESXi 8.0U1d patch will also update SDDC Manager services on VCF 5.0.0.0
  • Enabling ESXi 7.0U3p patch will also update SDDC Manager services on VCF 4.4.0.0, 4.4.1.1, 4.5.0.0 and 4.5.1.0
  • ESX_HOST patches cannot be applied to VxRail environments. Please engage Dell support if running VMware Cloud Foundation on Dell EMC VxRail.
  1. Download the latest Async Patch Tool to a computer with access to the SDDC Manager appliance.
  • AP Tool download - Within the VCF product download page, click the "Drivers & Tools" tab. The APT download can be found on this page.
  1. Copy the Async Patch Tool to the SDDC Manager appliance and configure it.
  1. SSH into the SDDC Manager appliance using the vcf user account.
    • Note: If an existing or older version of the Async Patch Tool exists in the directory, you must remove these files before downloading the latest version using the following command: rm -r /home/vcf/asyncPatchTool
  2. Create the asyncPatchTool directory:
mkdir /home/vcf/asyncPatchTool
  1. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) downloaded in Step 1 to the /home/vcf/asyncPatchTool directory.
  2. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz.
cd /home/vcf/asyncPatchTool
tar -xvf vcf-async-patch-tool-1.1.0.2.tar.gz
  1. Set the permissions for the asyncPatchTool directory.
chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool
  1. Take a snapshot of the SDDC Manager VM.
  2. Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
    • 300 = five minutes, generally enough to ensure the connection doesn't time out during download.
    • Example: Putty > Change Settings > Connection > Seconds between keepalives (0 to turn off) > set to 300 > Apply
  3. Enable the async patch with the relevant command below:
If SDDC Manager connects to the internet through a proxy server, add the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.
4.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:7.0.3-23307199 --du customer_connect_email  --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE

5.x VMware Cloud Foundation:
ESXi 8.0 U1d:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:8.0.1-23299997 --du customer_connect_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
ESXi 8.0 U2b:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:8.0.2-23305546 --du customer_connect_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE


  1. Log in to the SDDC Manager UI and apply the async patch to all workload domains
  2. After successfully applying the async patch, use the Async Patch Tool to deactivate the patch.
  1. SSH into the SDDC Manager appliance using the vcf user account.
  2. Run the following command and complete the prompts:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf



Additional Information