search cancel

Updating VMware Validated Design for Software-Defined Data Center 5.x for VMSA-2020-0006 (CVE-2020-3952)

book

Article ID: 319754

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Per VMSA-2020-0006, version 6.7 of vCenter Server and Platform Service Controllers (embedded or external) prior to 6.7 Update 3f are affected by CVE-2020-3952 only if it was upgraded from a previous release line, such as 6.0 or 6.5. New deployments for VMware Validated Design for Software-Defined Data Center 5.x are not affected.

This article outlines the procedures to update the Software-Defined Data Center (SDDC) that is deployed according to the VMware Validated Design for Software-Defined Data Center 5.x to address VMSA-2020-0006. This article is only applicable to VMware Validated Design for Software-Defined Data Center 5.x deployments that have been upgraded from VMware Validated Design for Software-Defined Data Center 4.x.

Updates in Scope for this Article:

Update each Platform Service Controller appliance to 6.7 Update 3f.
Update each Management vCenter Server Appliance instance and each Compute vCenter Server Appliance instance to 6.7 Update 3f.

Updates out of Scope for this Article:

Update of vSphere Update Manager Download Service to 6.7 Update 3
Update of ESXi hosts to 6.7 Update 3
Update of vSphere Replication, Site Recovery Manager, and vRealize Suite Lifecycle Manager

Important:

Specific components in the VMware Validated Design for Software-Defined Data Center 5.0 and 5.0.1 are not compatible with 6.7 Update 3f per the VMware Product Interoperability Matrices. These include vRealize Suite Lifecycle Manager, vSphere Replication, and Site Recovery Manager.

For multi-region deployments, to ensure the ability to replicate and perform failover VMware recommends upgrading to VMware Validated Design for Software-Defined Data Center 5.1 before updating to 6.7 Update 3f. If you can not perform the upgrade to VMware Validated Design for Software Defined Data Center 5.1 before applying the 6.7 Update 3f you can individually update (Reference 1 and 2) these components and realign to the 5.1.x BOM during your next upgrade cycle.

Environment

VMware Validated Design for Software-Defined Data Center (SDDC) 5.1.x
VMware Validated Design for Software-Defined Data Center (SDDC) 5.0.x
VMware Validated Design for Software-Defined Data Center (SDDC)

Resolution

Procedure

Update the Platform Services Controller Appliances and the Management vCenter Server Appliance Instances

Take snapshots of the Platform Services Controller appliances and of the Management vCenter Server Appliance instances in Region A and in Region B.

Setting	Value
Name	VMware Validated Design 5.x for VMSA-2020-0006.1 Virtual Infrastructure Layer Update
Description	-
Snapshot the virtual machine’s memory	Deselected
Quiesce guest file system (Needs VMware Tools installed)	Deselected

Use the vSphere Web Client to log in to the Management vCenter Server Appliance by navigating to http://RegionA-management-vc-FQDN/vsphere-client/.
Navigate to the Management Platform Services Controller appliance.
Right-click the Management Platform Services Controller and select Snapshots > Take Snapshot.
In the Take VM Snapshot dialog box, enter the settings provided in the above table and click OK.
Repeat steps a-d for all Platform Services Controller appliances and the Management vCenter Server in Region A and in Region B.

Redirect the traffic to the Compute Platform Services Controller in Region A.
1. Use the vSphere Web Client to log in to the Management vCenter Server Appliance by navigating to http://RegionA-management-vc-FQDN/vsphere-client/.
2. From the Home menu, select Networking & Security > NSX Edges.
3. From the NSX Manager drop-down menu, select the management-nsx-manager-IP NSX Manager, and double-click the Region-A-PSC-LB NSX Edge device.
4. On the Manage tab, click Load Balancer > Pools.
5. Select the psc-https-443 load balancer pool and click Edit.
6. In the Edit Pool dialog box, from the Members pane, select RegionA-Management-PSC, and click Edit.
7. In the Edit Member dialog box, from the State drop-down menu, select Disable, and click OK.
8. In the Edit Pool dialog box, click OK.
9. Repeat steps e-h for the psc-tcp-389 load balancer pool.
10. On the Pools page, click Show Pools Statistics and verify that both psc-https-443 and psctcp-389 show status DOWN for RegionA-Management-PSC.
Update the Management Platform Services Controller in Region A.
1. Mount the update VMware-vCenter-Server-Appliance-6.7.0.43000-15976714-patch-FP.iso file to the Management Platform Services Controller appliance.
2. Log in to the appliance management interface of the Management Platform Service Controller by navigating to https://RegionA-management-psc-FQDN:5480.
3. In the left pane, click Update.
4. In the Update pane, click Check Updates and select Check CDROM.
5. Click Stage & Install.
6. In the End User License Agreement section, accept the EULA and click Next.
7. In the Backup Platform Services Controller section, check the I have backed up Platform Services Controller and its associated databases checkbox and click Finish.
8. After the update completes, in the Installing Upgrades dialog box click OK.
9. Log back in to the Management Platform Service Controller and in the left pane, click Update.
10. In the Update pane, verify that you see the updated version number.
Restore load balancing for the traffic to the Platform Services Controller appliances in Region A.
1. Use the vSphere Web Client to log in to the Management vCenter Server Appliance by navigating to http://RegionA-management-vc-FQDN/vsphere-client/.
2. From the Home menu, select Networking & Security > NSX Edges.
3. From the NSX Manager drop-down menu, select the management-nsx-manager-IP NSX Manager, and double-click the Region-A-PSC-LB NSX Edge device.
4. On the Manage tab, click Load Balancer > Pools.
5. Select the psc-https-443 load balancer pool and click Edit.
6. In the Edit Pool dialog box, from the Members pane, select RegionA-Management-PSC, and click Edit.
7. In the Edit Member dialog box, from the State drop-down menu, select Enable, and click OK.
8. In the Edit Pool dialog box, click OK.
9. Repeat steps e-h for the psc-tcp-389 load balancer pool.
10. On the Pools page, click Show Pools Statistics and verify that both psc-https-443 and psctcp-389 report status UP for RegionA-Management-PSC.
Disconnect the attached update .iso file from the Management Platform Services Controller in Region A.
Repeat steps 2-5 on the Compute Platform Services Controller in Region A.
Update the Management vCenter Server in Region A.
1. Mount the update VMware-vCenter-Server-Appliance-6.7.0.43000-15976714-patch-FP.iso file to the Management vCenter Server appliances from the vSphere Web Client.
2. Log in to the appliance management interface of the Management Platform Service Controller by navigating to https://RegionA-management-vc-FQDN:5480.
3. In the left pane, click Update.
4. In the Update pane, click Check Updates and select Check CDROM.
5. Click Stage & Install.
6. In the End User License Agreement section, accept the EULA and click Next.
7. In the Backup Platform Services Controller section, check the I have backed up Platform Services Controller and its associated databases checkbox and click Finish.
8. After the update completes, in the Installing Upgrades dialog box click OK.
9. Log back in to the appliance management interface of the Management vCenter Server and in the left pane, click Update.
10. In the Update pane, verify the version number.
Disconnect the attached update .iso file from the Management vCenter Server in Region A.
Repeat steps 2-8 for the Platform Services Controller appliances and for the Management vCenter Server Appliance Instances in Region B.

Update the Compute vCenter Server Appliances

Update the Compute vCenter Server Appliance in Region A.
1. Mount the update VMware-vCenter-Server-Appliance-6.7.0.43000-15976714-patch-FP.iso file to the Compute vCenter Server Appliance.
2. Log in to the appliance management interface of the Compute vCenter Server Appliance by navigating to https://RegionB-compute-vc-FQDN:5480.
3. In the left pane, click Update.
4. In the Update pane, click Check Updates and select Check CDROM.
5. Click Stage & Install.
6. In the End User License Agreement section, accept the EULA and click Next.
7. In the Backup Platform Services Controller section, check the I have backed up Platform Services Controller and its associated databases checkbox and click Finish.
8. After the update finishes, in the Installing Upgrades dialog box click OK.
9. Log back in to the appliance management interface of the Compute vCenter Server Appliance and click Update in the left pane.
10. Verify the version number in the Update pane.
Disconnect the attached update .iso file from the Compute vCenter Server in Region A.
Repeat steps 1-2 for the Compute vCenter Server in Region B.

Cleanup Snapshots and Execute Backup

After all update operations are successfully completed, verify the operations of your environment. You may use the VMware Validated Design Operational Verification guide to assist in your validation procedures.

Once verified, you may remove all pre-upgrade snapshots for each vCenter Server and Platform Services Controller instance.

Delete the snapshots for the Platform Services Controller appliances and Management vCenter Server instances in Region A and in Region B.
1. Use the vSphere Web Client to log in to the Management vCenter Server Appliance by navigating to http://RegionA-management-vc-FQDN/vsphere-client/.
2. Navigate to the Management Platform Services Controller.
3. Right-click the Management Platform Services Controller and select Snapshots > Delete All Snapshots.
4. In the Confirm Delete dialog box, click Yes.
5. Repeat steps a-d for all Platform Services Controller appliances and the Management vCenter Servers in Region A and in Region B.
Delete the snapshots for the Compute vCenter Server instances in Region A and in Region B.
1. Use the vSphere Web Client to log in to the Management vCenter Server Appliance by navigating to http://RegionA-management-vc-FQDN/vsphere-client/.
2. Navigate to the Compute vCenter Server.
3. Right-click the Compute vCenter Server and select Snapshots > Delete All Snapshots.
4. In the Confirm Delete dialog box, click Yes.
5. Repeat steps a-d for the Compute vCenter Server instances in Region B.
Initiate a new image-based backup for each vCenter Server and Platform Services Controller using a your supported vSphere APIs for Data Protection (VADP) enabled backup solution.

Additional Information

Impact/Risks:

Prerequisites

Before you remediate VMSA-2020-0006 (CVE-2020-3952) in the SDDC, verify that your existing VMware Validated Design environment meets certain general prerequisites.

Verify that your environment implementation was upgraded from VMware Validated Design 4.3.
Use VMware Knowledge Base article 78543 to determine whether or not your environment is affected by CVE-2020-3952.
Verify that your environment implementation follows exactly the software bill of materials for VMware Validated Design 5.0, 5.0.1, 5.1, or 5.1.1 releases.
Download the vCenter Server Appliance 6.7 Update 3f patch VMware-vCenter-Server-Appliance-6.7.0.43000-15976714-patch-FP.iso file from My VMware to a Windows host that has access to the SDDC management network.
Verify that you have current backups for each Platform Services Controller appliance and each vCenter Server Appliance.
Verify that any integrations with the Management and Compute vCenter Server Appliances are quiesced. For example, vRealize Automation or vSphere API for Data Protection enabled backup solutions.

Feedback

thumb_up Yes

thumb_down No