Applying vCenter Server 7.0 update patch to address vulnerabilities in VMSA-2021-0010 on VMware Cloud Foundation 4.1, 4.1.0.1, 4.2
Article ID: 325213
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
The purpose of this article is to provide guidance for affected customers using VMware Cloud Foundation versions 4.1, 4.1.0.1, and 4.2.
Symptoms:
vCenter Server 7.0 versions are affected by CVE-2021-21985 and CVE-2021-21986. For more information, see VMware security advisory.
Similarly as described in the advisory, VMware Cloud Foundation(VCF) 4.x versions are affected by CVE-2021-21985 and CVE-2021-21986.
VMSA-2021-0020 published on September 21st 2021 documents vulnerabilities in VMware vCenter Server versions prior to 7.0U2d, which also impact VCF 4x versions.
Please see KB 85718 for further details
Symptoms:
vCenter Server 7.0 versions are affected by CVE-2021-21985 and CVE-2021-21986. For more information, see VMware security advisory.
Similarly as described in the advisory, VMware Cloud Foundation(VCF) 4.x versions are affected by CVE-2021-21985 and CVE-2021-21986.
VMSA-2021-0020 published on September 21st 2021 documents vulnerabilities in VMware vCenter Server versions prior to 7.0U2d, which also impact VCF 4x versions.
Please see KB 85718 for further details
Environment
VMware Cloud Foundation 4.2
VMware Cloud Foundation 4.1
VMware Cloud Foundation 4.1
Resolution
To resolve this issue for VMware Cloud Foundation 4.x version, upgrade to version 4.2.1 or later.
If you are unable to upgrade to VMware Cloud Foundation 4.2.1 or later, apply the steps in the Workaround section of this article.
Workaround:
Notes:
b. Extract lcm-tools-prod.tar.gz.
c. Navigate to the lcm-tools-prod/bin/ and confirm that you have execute permission on all folders
d. Validate that the utility version matches the target release. Run the following command to display the utility version:
e. Download the VMware Software Upgrade bundle for VMware vCenter Server 7.0 Update 1d (bundle-42521).
For Windows
lcm-bundle-transfer-util.bat --op C:\downloaded_bundles -d --du [email protected] -b bundle-42521
For Linux
./lcm-bundle-transfer-util --op /root/downloaded_bundles -d --du [email protected] -b bundle-42521
f. Copy the update bundle directory from the external computer to the SDDC Manager VM.
3. Update VCF inventory following the steps below:
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1069 0 1069 0 0 173k 0 --:--:-- --:--:-- --:--:-- 173k
[
{
"bundleRepoDatastore" : "lcm-bundle-repo",
"managementIpAddress" : "10.0.0.6",
"version" : "7.0.1.00301-17956102",
"vmName" : "vcenter-1",
"domainType" : "MANAGEMENT",
"domainId" : "d8864d48-96c5-4407-8665-d5988c52c05b",
"datastoreForVmDeploymentName" : "sfo01-m01-vsan",
"status" : "ACTIVE",
"id" : "<VMware vCenter Server ID>",
"hostName" : "vcenter-1.vrack.vsphere.local"
}
]
e. Go to SDDCManager UI to verify the VC version after few mins
Note: Make sure when a new Workload domain is created, apply all the steps mentioned above in 2 and 3.
If you are unable to upgrade to VMware Cloud Foundation 4.2.1 or later, apply the steps in the Workaround section of this article.
Workaround:
Notes:
- For VMware Cloud Foundation 4.2, you must upgrade to 4.2.1 to resolve this issue.
- If you are using VMware Cloud Foundation versions earlier to VCF 4.1, you are required to first upgrade to version 4.1 or later before following the workaround steps below.
- For more information on this vulnerability, refer to the advisory VMSA-2021-0010
- Take a snapshot of the vCenter Server before applying the patch.
a. Download the Bundle Transfer utility on a computer with internet access.
i. Login to your Customer Connect and browse to the Download VMware Cloud Foundation page.
ii. In the Select Version field, select the 4.2.1 version.
iii. Click Drivers & Tools.
iv. Expand VMware Cloud Foundation Tools and click Go To Downloads.
v. Click Download Now for the Bundle Transfer Utility Tool.
ii. In the Select Version field, select the 4.2.1 version.
iii. Click Drivers & Tools.
iv. Expand VMware Cloud Foundation Tools and click Go To Downloads.
v. Click Download Now for the Bundle Transfer Utility Tool.
b. Extract lcm-tools-prod.tar.gz.
c. Navigate to the lcm-tools-prod/bin/ and confirm that you have execute permission on all folders
d. Validate that the utility version matches the target release. Run the following command to display the utility version:
For Windows
lcm-bundle-transfer-util.bat -v
For Linux
./lcm-bundle-transfer-util -v
lcm-bundle-transfer-util.bat -v
For Linux
./lcm-bundle-transfer-util -v
e. Download the VMware Software Upgrade bundle for VMware vCenter Server 7.0 Update 1d (bundle-42521).
For Windows
lcm-bundle-transfer-util.bat --op C:\downloaded_bundles -d --du [email protected] -b bundle-42521
For Linux
./lcm-bundle-transfer-util --op /root/downloaded_bundles -d --du [email protected] -b bundle-42521
f. Copy the update bundle directory from the external computer to the SDDC Manager VM.
For windows, use any SCP tool to transfer the "downloaded_bundles" directory to SDDC Manager VM in /nfs/vmware/vcf/nfs-mount/
For Linux
scp -pr /root/downloaded_bundles vcf@SDDC_MANAGER_IP:/nfs/vmware/vcf/nfs-mount/
The scp command in the example above creates a directory named downloaded_bundles in the /nfs/vmware/vcf/nfs-mount/ directory.
g. In the SDDC Manager VM, change the ownership and permissions for the directory where you uploaded the bundle.
chmod -R 0777 /nfs/vmware/vcf/nfs-mount/downloaded_bundles
h. In the SDDC Manager VM, upload the bundle files to the internal LCM repository.
cd /opt/vmware/vcf/lcm/lcm-tools/bin
./lcm-bundle-transfer-util -upload -bundleDirectory /nfs/vmware/vcf/nfs-mount/downloaded_bundles -b bundle-42521
2. Upgrade to VMware vCenter Server 7.0 Update 1d
For Linux
scp -pr /root/downloaded_bundles vcf@SDDC_MANAGER_IP:/nfs/vmware/vcf/nfs-mount/
The scp command in the example above creates a directory named downloaded_bundles in the /nfs/vmware/vcf/nfs-mount/ directory.
g. In the SDDC Manager VM, change the ownership and permissions for the directory where you uploaded the bundle.
chmod -R 0777 /nfs/vmware/vcf/nfs-mount/downloaded_bundles
h. In the SDDC Manager VM, upload the bundle files to the internal LCM repository.
cd /opt/vmware/vcf/lcm/lcm-tools/bin
./lcm-bundle-transfer-util -upload -bundleDirectory /nfs/vmware/vcf/nfs-mount/downloaded_bundles -b bundle-42521
a. Map the ISO
i. Login to Management VMware vCenter Server (https://<Management-VC-FQDN/ui)
ii. In VMs and Templates, browse to Management VMware vCenter Server VM
iii. Right click on VMware vCenter Server VM and click on Edit Settings
iv. For "CD/DVD Drive1", from the dropdown, select "Datastore ISO File" and browse to "lcm-bundle-repo/bundle/731433e4-122e-40a9-aaba-3ebc1be133d3/bundle-42521/ and select the "VMware-vCenter-Server-Appliance-7.0.1.00301-17956102-patch-FP.iso" file from the Datastore wizard
v. Select the "Connected" check box
vi. Click Ok
ii. In VMs and Templates, browse to Management VMware vCenter Server VM
iii. Right click on VMware vCenter Server VM and click on Edit Settings
iv. For "CD/DVD Drive1", from the dropdown, select "Datastore ISO File" and browse to "lcm-bundle-repo/bundle/731433e4-122e-40a9-aaba-3ebc1be133d3/bundle-42521/ and select the "VMware-vCenter-Server-Appliance-7.0.1.00301-17956102-patch-FP.iso" file from the Datastore wizard
v. Select the "Connected" check box
vi. Click Ok
b. Upgrade Manangent VMware vCenter Server
i. Connect to VMware vCenter Server VAMI "https://<VMware vCenter Server IP/FQDN>:5480" as root user
ii. Select Update from the Navigation tab
iii. Click on "Stage and Install" to trigger the update
iv. Monitor the update until it completes
ii. Select Update from the Navigation tab
iii. Click on "Stage and Install" to trigger the update
iv. Monitor the update until it completes
c. Repeat Steps a and b for all the workload VMware vCenter Servers
3. Update VCF inventory following the steps below:
a. Login to SDDC manager VM via SSH.
b. Get VMware vCenter Server ID from VCF inventory:
To get VMware vCenter Server details from VCF inventory run following command/Curl/API:
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 359 0 359 0 0 19944 0 --:--:-- --:--:-- --:--:-- 19944
[
{
"status" : "ACTIVE",
"version" : "7.0.1.00000-16860138",
"bundleRepoDatastore" : "lcm-bundle-repo",
"datastoreForVmDeploymentName" : "sfo01-m01-vsan",
"domainType" : "MANAGEMENT",
"vmName" : "vcenter-1",
"domainId" : "d8864d48-96c5-4407-8665-d5988c52c05b",
"hostName" : "vcenter-1.vrack.vsphere.local",
"managementIpAddress" : "10.0.0.6",
"id" : "<VMware vCenter Server ID>"
}
]
The field "id" in response, corresponds to VMware vCenter Server id.
The "version" field for each of the VMware vCenter Server provides the current version of the VMware vCenter Server.
c. Update VCF inventory for VMware vCenter Servers
Note: Repeat below commands for all the VMware vCenter Severs with their corresponding vcenter-id that were upgraded.
<SDDC_Manager_FQDN > : Fully qualified domain name of SDDC manager.
<VMware vCenter Server_Id> : Id of VMware vCenter Server for which version is to be updated in VCF inventory
7.0.1.00301-17956102 : Version of VMware vCenter Server patch that was applied on hosts.
$ curl -X PATCH '<SDDC_Manager_FQDN >/inventory/entities/<VMware vCenter Server ID>' -d '{"version":"7.0.1.00301-17956102", "type":"VCENTER"}' -H 'Content-Type:application/json'
d. Verify VMware vCenter Server versions
$ curl localhost/inventory/vcenters | json_pp
b. Get VMware vCenter Server ID from VCF inventory:
To get VMware vCenter Server details from VCF inventory run following command/Curl/API:
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 359 0 359 0 0 19944 0 --:--:-- --:--:-- --:--:-- 19944
[
{
"status" : "ACTIVE",
"version" : "7.0.1.00000-16860138",
"bundleRepoDatastore" : "lcm-bundle-repo",
"datastoreForVmDeploymentName" : "sfo01-m01-vsan",
"domainType" : "MANAGEMENT",
"vmName" : "vcenter-1",
"domainId" : "d8864d48-96c5-4407-8665-d5988c52c05b",
"hostName" : "vcenter-1.vrack.vsphere.local",
"managementIpAddress" : "10.0.0.6",
"id" : "<VMware vCenter Server ID>"
}
]
The field "id" in response, corresponds to VMware vCenter Server id.
The "version" field for each of the VMware vCenter Server provides the current version of the VMware vCenter Server.
c. Update VCF inventory for VMware vCenter Servers
Note: Repeat below commands for all the VMware vCenter Severs with their corresponding vcenter-id that were upgraded.
<SDDC_Manager_FQDN > : Fully qualified domain name of SDDC manager.
<VMware vCenter Server_Id> : Id of VMware vCenter Server for which version is to be updated in VCF inventory
7.0.1.00301-17956102 : Version of VMware vCenter Server patch that was applied on hosts.
$ curl -X PATCH '<SDDC_Manager_FQDN >/inventory/entities/<VMware vCenter Server ID>' -d '{"version":"7.0.1.00301-17956102", "type":"VCENTER"}' -H 'Content-Type:application/json'
d. Verify VMware vCenter Server versions
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1069 0 1069 0 0 173k 0 --:--:-- --:--:-- --:--:-- 173k
[
{
"bundleRepoDatastore" : "lcm-bundle-repo",
"managementIpAddress" : "10.0.0.6",
"version" : "7.0.1.00301-17956102",
"vmName" : "vcenter-1",
"domainType" : "MANAGEMENT",
"domainId" : "d8864d48-96c5-4407-8665-d5988c52c05b",
"datastoreForVmDeploymentName" : "sfo01-m01-vsan",
"status" : "ACTIVE",
"id" : "<VMware vCenter Server ID>",
"hostName" : "vcenter-1.vrack.vsphere.local"
}
]
e. Go to SDDCManager UI to verify the VC version after few mins
Note: Make sure when a new Workload domain is created, apply all the steps mentioned above in 2 and 3.
Additional Information
Applying vCenter Server 6.7 Update 3n patch on VMware Cloud Foundation from 3.9.x, 3.10.0, 3.10.1.x, 3.10.2 (84051)
Impact/Risks:
After applying the vCenter Server patch on your VCF4.1 or 4.1.0.1 environment using procedure below, the supported upgrade path is to VCF 4.2.1 or later (e.g. 4.3) using Skip Upgrade from SDDCManager UI. For more details reference the VMware Cloud Foundation Lifecycle Management.
Impact/Risks:
After applying the vCenter Server patch on your VCF4.1 or 4.1.0.1 environment using procedure below, the supported upgrade path is to VCF 4.2.1 or later (e.g. 4.3) using Skip Upgrade from SDDCManager UI. For more details reference the VMware Cloud Foundation Lifecycle Management.
Feedback
Yes
No
Powered by
