VMSA-2023-0023 Offline AP Tool Remediation Steps
search cancel

VMSA-2023-0023 Offline AP Tool Remediation Steps


Article ID: 327210


Updated On:


VMware Cloud Foundation



vCenter Server critical vulnerability (9.8) outlined in VMSA-2023-0023 .


VMware Cloud foundation 5.x
VMware Cloud Foundation 4.x


Consolidated Offline AP Patching steps to remediate the VMSA-2023-0023 vulnerability for 4.x and 5.x VCF environments. 


  • The entire AP Tool operation must be run as the vcf user.
  • Enabling VC 8.0U1d patch will also update SDDC Manager services on VCF
  • Enabling VC 7.0U3o patch will also update SDDC Manager services on VCF,,, and
  • Additional bundles may be downloaded during the bundle download process. 

1. Download the latest Async Patch Tool to a computer that has access to the internet and the SDDC Manager appliance

Option 1: Direct Download Link - AP Tool download
Option 2:

a. Log in to VMware Customer Connect
b. Navigate to the Async Patch Download: Products and Accounts > All Products > VMware Cloud Foundation > VMware Cloud Foundation Tools > Drivers & Tools > Async Patch Tool > GO TO DOWNLOADS > DOWNLOAD NOW

2. Extract vcf-async-patch-tool-<version>.tar.gz.

3. Navigate to vcf-async-patch-tool-<version>/bin and confirm that you have execute permissions.

4. Run the download from the AP Tool.

If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.

For VxRail environments please add the following flags to the download command:
--sku VCF_ON_VXRAIL --pdu dell_emc_depot_email

4.x Linux:
./vcf-async-patch-tool -d --patch VCENTER: --du customer_connect_email

4.x Windows:
vcf-async-patch-tool.bat -d --patch VCENTER: --du customer_connect_email

5.x Linux:
./vcf-async-patch-tool -d --patch VCENTER: --du customer_connect_email

5.x Windows:
vcf-async-patch-tool.bat -d --patch VCENTER: --du customer_connect_email

Example output:image.png

    5.SSH into the SDDC Manager using the vcf user account and create the following directory:

    mkdir /nfs/vmware/vcf/nfs-mount/apToolBundles

    6.Copy the patch and set permissions.

    a. Copy the entire output directory from the local computer (for example, apToolBundles) to the SDDC Manager appliance.

    b. SSH in to the SDDC Manager appliance using the vcf user account.
    c. Update the permissions on the apToolBundle directory.

    chmod -R 755 /nfs/vmware/vcf/nfs-mount/apToolBundles && chown -R vcf:vcf /nfs/vmware/vcf/nfs-mount/apToolBundles

    7. Copy the Async Patch Tool to the SDDC Manager appliance and configure it for use.

    a. SSH in to the SDDC Manager appliance using the vcf user account.
    Note:If an existing or older version of the Async Patch Tool exists in the directory, you will need to remove these files before downloading the latest version of the Async Patch Tool.

    rm -r /home/vcf/asyncPatchTool

    b. Create the asyncPatchTool directory.

    mkdir /home/vcf/asyncPatchTool

    c. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) that you downloaded in step 1 to the /home/vcf/asyncPatchTool directory.

    d. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz.

    cd /home/vcf/asyncPatchTool
    tar -xvf vcf-async-patch-tool-

    e. Set the permissions for the asyncPatchTool directory.

    chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool

    8. Take a snapshot of the SDDC Manager VM
    9. Enable the async patch with the relevant command below:

    4.x VMware Cloud Foundation:
    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER: --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE

    5.x VMware Cloud Foundation:
    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER: --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE

    10. Ensure there is a valid backup of the vCenter before applying upgrade from SDDC UI.

    Please see KB: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice 

    11. Log in to the SDDC Manager UI and apply the async patch to all workload domains

    12. After the async patch is successfully applied, use the Async Patch Tool to deactivate the patch.

    a. SSH in to the SDDC Manager appliance using the vcf user account.
    b. Run the following command and complete prompts:
    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf


    Due to no workaround and the critical severity of this issue, customers must patch vCenter to secure their VCF environments.

    Additional Information

    Async Patch Tool - https://docs.vmware.com/en/VMware-Cloud-Foundation/services/ap-tool/GUID-49818DF1-94EA-4C85-8CB6-6EFFCE5F8060.html