Set the permissions for the asyncPatchTool directory.
VMSA-2023-0023 Online AP Tool Remediation Steps
Article ID: 327206
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Consolidated AP Patching steps to remediate the VMSA-2023-0023 vulnerability for 4.x and 5.x VCF environments.
Symptoms:
Symptoms:
vCenter Server critical vulnerability (9.8) outlined in VMSA-2023-0023.
Environment
VMware Cloud Foundation 4.x
VMware Cloud foundation 5.x
VMware Cloud foundation 5.x
Resolution
Please note the following:
4.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
4.x VMware Cloud Foundation on Dell EMC VxRail:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email --sddcSSOUser SSOuser --pdu dell_emc_depot_email --sddcSSHUser vcf --it ONLINE
5.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
5.x VMware Cloud Foundation on Dell EMC VxRail:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email --pdu dell_emc_depot_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
Workaround:
Due to no workaround and the critical severity of this issue, customers must patch vCenter to secure their VCF environments.
- The entire AP Tool operation must be run as the vcf user.
- Enabling VC 8.0U1d patch will also update SDDC Manager services on VCF 5.0.0.0
- Enabling VC 7.0U3o patch will also update SDDC Manager services on VCF 4.3.1.1, 4.4.0.0, 4.4.1.1, 4.5.0.0 and 4.5.1.0
- Download the latest Async Patch Tool to a computer with access to the SDDC Manager appliance.
- Option 1: Direct Download Link - AP Tool download
- Option 2:
- Log in to VMware Customer Connect
- Navigate to the Async Patch Download: Products and Accounts > All Products > VMware Cloud Foundation > VMware Cloud Foundation Tools > Drivers & Tools > Async Patch Tool > GO TO DOWNLOADS > DOWNLOAD NOW
- Copy the Async Patch Tool to the SDDC Manager appliance and configure it.
- SSH into the SDDC Manager appliance using the vcf user account.
- Note: If an existing or older version of the Async Patch Tool exists in the directory, you must remove these files before downloading the latest version using the following command: rm -r /home/vcf/asyncPatchTool
- Create the asyncPatchTool directory:
mkdir /home/vcf/asyncPatchTool
- Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) downloaded in step 1 to the /home/vcf/asyncPatchTool directory.
- Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz.
cd /home/vcf/asyncPatchTool
tar -xvf vcf-async-patch-tool-1.1.0.2.tar.gz
tar -xvf vcf-async-patch-tool-1.1.0.2.tar.gz
- Set the permissions for the asyncPatchTool directory.
chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool
- Take a snapshot of the SDDC Manager VM.
- Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
- 300 = five minutes, generally enough to ensure the connection doesn't time out during download.
- Example: Putty > Change Settings > Connection > Seconds between keepalives (0 to turn off) > set to 300 > Apply
- Enable the async patch with the relevant command below:
If you connect to the internet through a proxy server, add the
--proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.4.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
4.x VMware Cloud Foundation on Dell EMC VxRail:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email --sddcSSOUser SSOuser --pdu dell_emc_depot_email --sddcSSHUser vcf --it ONLINE
5.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
5.x VMware Cloud Foundation on Dell EMC VxRail:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email --pdu dell_emc_depot_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
- Ensure a valid backup of the vCenter before applying the upgrade from SDDC UI.
- Log in to the SDDC Manager UI and apply the async patch to all workload domains
- After successfully applying the async patch, use the Async Patch Tool to deactivate the patch.
- SSH into the SDDC Manager appliance using the vcf user account.
- Run the following command and complete the prompts:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf
Workaround:
Due to no workaround and the critical severity of this issue, customers must patch vCenter to secure their VCF environments.
Additional Information
Async Patch Tool 1.1.0.2 - https://docs.vmware.com/en/VMware-Cloud-Foundation/services/ap-tool/GUID-49818DF1-94EA-4C85-8CB6-6EFFCE5F8060.html
VCF Async Patch Tool Options - https://docs.vmware.com/en/VMware-Cloud-Foundation/services/ap-tool/GUID-ED6AEE19-CB7D-44E7-A7D8-D54F8C5CC05D.html
Impact/Risks:
Feedback
Yes
No
Powered by
