vCenter Server critical vulnerability (9.8) outlined in VMSA-2023-0023.
 

Please note the following:

• The entire AP Tool operation must be run as the vcf user.
• Enabling VC 8.0U1d patch will also update SDDC Manager services on VCF 5.0.0.0
• Enabling VC 7.0U3o patch will also update SDDC Manager services on VCF 4.3.1.1, 4.4.0.0, 4.4.1.1, 4.5.0.0 and 4.5.1.0

1. Download the latest Async Patch Tool to a computer with access to the SDDC Manager appliance.

• Option 1: Direct Download Link - AP Tool download
• Option 2:
  1. Log in to VMware Customer Connect
  2. Navigate to the Async Patch Download: Products and Accounts > All Products > VMware Cloud Foundation > VMware Cloud Foundation Tools > Drivers & Tools > Async Patch Tool > GO TO DOWNLOADS > DOWNLOAD NOW

2. Copy the Async Patch Tool to the SDDC Manager appliance and configure it.

1. SSH into the SDDC Manager appliance using the vcf user account.
   • Note: If an existing or older version of the Async Patch Tool (and older bundles) exists in the following directories, you must remove these files before downloading the latest version using the following command: rm -rf /home/vcf/asyncPatchTool && rm -rf /nfs/vmware/vcf/nfs-mount/apToolBundles 
2. Create the asyncPatchTool directory:

   mkdir /home/vcf/asyncPatchTool

3. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) downloaded in step 1 to the /home/vcf/asyncPatchTool directory.
4. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz.

   cd /home/vcf/asyncPatchTool

   tar -xvf vcf-async-patch-tool-1.1.0.2.tar.gz

5. Set the permissions for the asyncPatchTool directory.

   chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool

3. Take a snapshot of the SDDC Manager VM.
4. Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
   • 300 = five minutes, generally enough to ensure the connection doesn't time out during download.
   • Example: Putty > Change Settings > Connection > Seconds between keepalives (0 to turn off) > set to 300 > Apply
5. Enable the async patch with the relevant command below:

/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email  --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE

/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email  --sddcSSOUser SSOuser --pdu dell_emc_depot_email --sddcSSHUser vcf --it ONLINE

/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE

/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email --pdu dell_emc_depot_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE

/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email --ssou SSOuser --sddcSSHUser vcf --it ONLINE

6. Ensure a valid backup of the vCenter before applying the upgrade from SDDC UI.
   • Please see KB: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
7. Log in to the SDDC Manager UI and apply the async patch to all workload domains
8. After successfully applying the async patch, use the Async Patch Tool to deactivate the patch.

1. SSH into the SDDC Manager appliance using the vcf user account.
2. Run the following command and complete the prompts:

   /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf

Workaround:
Due to no workaround and the critical severity of this issue, customers must patch vCenter to secure their VCF environments.

Async Patch Tool 1.2

VCF Async Patch Tool Options

Impact/Risks: