The recommendation to customers on these prior VCF 3.x versions, is to upgrade to the latest VCF 3.11 release.
If customers are unable to do so, the purpose of this article is to provide guidance for such customers to upgrade just vRSLCM 2.1 patch 3, NSX-v 6.4.12, NSX-T 2.5.3.4.0, vCenter Server 6.7 Update 3q appliances
Affected Versions : 3.10.0, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1, 3.10.2.2
The information contained in this article applies to customers on both VCF on VxRail, and VCF (vSAN Ready Nodes)
Symptoms:
As documented in VMSA-2021-0028, all versions for the products prior to vRSLCM 2.1 patch 3, NSX-v 6.4.12, NSX-T 2.5.3.4.0, vCenter Server 6.7 Update 3q appliances are affected by the vulnerabilities listed in the advisory.
Since the VMware Cloud Foundation (VCF) 3.x versions, prior to VCF 3.11, bundle impacted releases of vRSLCM, NSX-v, NSX-T, vCenter Server, the VCF versions 3.10.0, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1, 3.10.2.2 are similarly impacted by the vulnerabilities listed in the advisory.
VMware Cloud Foundation 3.11
As documented in VMSA-2021-0028 all the VMware Cloud Foundation 3.x versions prior to VCF 3.11 are affected by the vulnerabilities listed in the advisory.
VMware Cloud Foundation Version |
Upgrade Options if Upgrading to VCF 3.11 is not possible |
---|---|
Prior to VCF 3.10.0 |
Upgrade to 3.10.0 or later and follow the recommended approach below |
VCF 3.10.x |
Apply the steps in the Workaround section of this article |
Workaround:
Follow the release notes to apply vRSLCM 2.1 patch 3
Step 1: Perform below steps on each VMware NSX-v instance deployed in your VMware Cloud Foundation environment
1) Apply the NSX-v 6.4.12 patch to all NSX-v instances (Management & VI Domain) in the environment.
STEP 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
1. Login to SDDC manager VM via SSH and sudo to root account
2. Verify the NSX-v version on the inventory
"id" : " "version" : " "status" : "ACTIVE", "hostName" : "nsxManager.vrack.vsphere.local", "domainId" : "<domain ID>", "managementIpAddress" : "10.0.0.9", "vmName" : "nsxManager", "vcenterId" : "<vcenterid>" |
Please note the following details
The field "id" in response, corresponds to
.<<NSX-v ID>>
The "version" field for each of the NSX-v provides the <<Current NSX-v Version>>
.
3. API to update NSX-v hot patch version: 6.4.12-19066632
on 3.10.x
|
4. Verify the NSX-v Version
[ { "vmName" : "nsxManager", "domainId" : "<domain ID>", "status" : "ACTIVE", "hostName" : "nsxManager.vrack.vsphere.local", "id" : " "version" : "6.4.12-19066632", ... "managementIpAddress" : "10.0.0.9", "vcenterId" : "<vcenterid>" } ] |
5. Update version-alias using below API to support this async upgrade for future VCF compatible upgrades.
NOTE: This step needs to be done only once per SDDC Manager instance
|
Known Issue: After out of band upgrade to NSX-T 2.5.3.4, you will not be able to expand your VCF deployment, by adding NSX-T based Workload domains. To avoid such limitations, VMware recommends upgrading to VCF 3.11.
Step 1: Perform below steps on each VMware vCenter Server VM and each External PSC deployed in your VMware Cloud Foundation environment
1) Apply the NSX-T 2.5.3.4.0 patch to all NSX-T instances (VI Domain) in the environment.
Step 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
1. Login to SDDC manager VM via SSH and sudo to root account
2. API to update NSX-T hot patch version: 2.5.3.4.0-19069884 on 3.10.x
Get VCF deployed NSX-T Cluster Inventory Ids associated with domains.
[ { "version" : " "is_shared" : false, "clusterIpAddress" : "10.0.0.154", "clusterFqdn" : "vip-nsxmanager.vrack.vsphere.local", "id" : " "status" : "ACTIVE", "nsxtClusterDetails" : [ { "fqdn" : "nsxt-manager-1.vrack.vsphere.local", "vmName" : "nsxt-manager-1", "id" : "<id>" }, { "vmName" : "vi-nsxmanager-1-2", "fqdn" : "vi-nsxmanager-1-2.vrack.vsphere.local", "id" : "<id>" }, { "vmName" : "vi-nsxmanager-1-3", "fqdn" : "vi-nsxmanager-1-3.vrack.vsphere.local", "id" : "<id>" } ], ... "domainIds" : [ "<domain ID>" ] } ] |
Please note the following details
The field "id" in response, corresponds to
<<NSX-T ID>>
: NSX-T Cluster ID
.
The "version" field for each of the NSX-v provides the <<Current NSX-T Version>.
3. For each NSX-T entity Id, update the NSX-T new version (Make sure you have already upgraded this NSX-T by logging to NSX-T cluster IP)
|
4. Verify the NSX-T Version
root@sddc-manager [ ~ ]# curl localhost/inventory/nsxt| json_pp [ ... |
5. Update version-alias using below API to support this async upgrade for future VCF compatible upgrades.
NOTE: This step needs to be done only once per SDDC Manager instance after it has been upgraded to VCF 3.11 via Skip level upgrade tool.
a. Create version-alias.json JSON file in "/home/vcf" directory and add below content and save the file.
|
b. Execute the below API to update version-alias
|
Step 1: Perform below steps on each VMware vCenter Server VM and each External PSC deployed in your VMware Cloud Foundation environment
1) Powered off concurrent snapshots should be taken of all PSC's and VC's in the SSO domain prior to patching.
2) Apply the VMware vCenter server 6.7 Update 3q patch to all external PSCs and vCenter Servers (Management & VI Domain) in the environment.
STEP 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
1) Login to SDDC manager VM via SSH and sudo to root account
2) Get PSC/VC ID from VCF inventory:
To get vCenter/PSC details from VCF inventory run following command/Curl/API:
For vCenter Server
$ curl localhost/inventory/vcenters | json_pp
Sample Output: |
For PSC
$ curl localhost/inventory/pscs | json_pp
Sample Output: |
The field "id" in response, corresponds to vCenter/PSC id.
The "version" field for each of the vCenter/PSC provides the current version of the vCenter/PSC.
3) Update VCF inventory for vCenter Servers and PSCs
Note: Repeat below commands for all the vCenter Severs with their corresponding vcenter-id that were upgraded.
<SDDC_Manager_FQDN > = Fully qualified domain name of SDDC manager.
<vCenter_Id> = Id of VCENTER for which version is to be updated in VCF inventory
<psc_Id> = Id of PSC for which version is to be updated in VCF inventory
The build number of 6.7U3q is 19300125 so this is the version that needs to be inserted into the file i.e. 6.7.0-19300125
For vCenter Server
|
For PSCs
|
4) Verify vCenter Server and PSC versions
For vCenter Server
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
|
For PSC
$ curl localhost/inventory/pscs | json_pp
Sample Output: % Total % Received % Xferd Average Speed Time Time Time Current
|
5) Go to SDDC Manager UI to verify the VC/PSC version after few minutes.
Note: Repeat all relevant BOM patch for all domain in your Cloud Foundation environment. Every time a new VI workload domain is created, these steps need to be performed.
If the procedure documented below in the "Workaround" section is followed, the supported forward upgrade is VCF 3.11 using Skip level upgrade tool. Ensure you use latest skip level upgrade tool for VCF 3.x.
For information on the Skip level tool, please see:
VCF 3.11 SKIP level Upgrade tool
VCF 3.11 SKIP level Upgrade tool VCF on VxRail 3.11 SKIP level Upgrade tool