As documented in VMSA-2024-0012, all versions of the vCenter Server 7.0 appliance that are prior to 7.0 Update 3r are affected by the vulnerabilities listed in the advisory.

Also, all VMware Cloud Foundation(VCF) 4.x versions are impacted by the vulnerabilities listed in the advisory.

Note: Any VCF 4x customer that patches to vCenter Server version 7.0 U3r will be limiting their forward upgrade to VCF 5.2 only (8.0 U3)

This article is for VCF 4.x customers who are in mixed BOM within the WLD and would like to mitigate the VMSA-2024-0012 vulnerability.

1. Perform below steps on each VMware vCenter Server VM deployed in your VMware Cloud Foundation environment
   
   
   1. Take Snapshot of the vCenter server. Refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
   2. Check and confirm no replication issues between the VCs/PSCs in the SSO domain - Refer Determining replication agreements and status with the Platform Services Controller (PSC) 
   3. Apply the VMware vCenter server 7.0 Update 3r patch to all  vCenter Servers (Management & VI Domain) in the environment using VAMI.
      
      
2. Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
   
   
   1. Take snapshot of SDDC Manager VM
   2. SSH to SDDC Manager with vcf user and su to root
   3. Get VC ID from VCF inventory
      

      curl localhost/inventory/vcenters | json_pp

      • The field "id" in response, corresponds to vCenter id. The "version" field for each of the vCenter provides the current version of the vCenter.
        
        
3. Update VCF inventory for vCenter Servers.
   
   Note: Repeat below commands for all the vCenter Severs with their corresponding vcenter-id that were upgraded. <SDDC_Manager_FQDN >  =  Fully qualified domain name of SDDC manager. <vCenter_Id>  = Id of VCENTER for which version is to be updated in VCF inventory The build number of VC 7.0 Update 3r is 24026615 so this is the version that needs to be inserted into the file i.e. 7.0.3.02000-24026615
   
   
   1. Generate access token:

      curl https://<sddc_manager_ip>/v1/tokens -i -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{ "username" : "<SSO_USER>", "password" : "<SSO_USER_PASSWORD>" }' –insecure

   2. Invoke API with Access token:

      curl -k 'http://<sddc-manager-fqdn>/inventory/entities/<vcenter_id_from_step 2(c)>' -i -X PATCH \
       -d '{"version":"7.0.3.02000-24026615", "type":"VCENTER"}' \
       -H 'Content-Type:application/json' \
       -H 'Authorization: Bearer <token received in step 3(a)>'

      
      
      
4. Update vCenter version alias in SDDC Manager.
   
            The vCenter version alias will be updated in SDDC Manager with the new version of vCenter to allow future upgrades
   
   
   1. Browse to https://<sddc-manager-fqdn> and log in with administrative credentials
   2. Navigate to Developer Center > API Explorer > APIs for managing Version Alias Configuration
   3. Expand the API PUT: /v1/system/settings/version-aliases
   4. Copy the below content into the value field and click Execute

      {
        "forceUpdate": true,
        "versionAliasesForBundleComponentTypes": [
          {
            "bundleComponentType": "VCENTER",
            "versionAliases": [
              {
                "version": "7.0.3.01500-21784236",
                "aliases": [
                  "7.0.3.02000-24026615"
                ]
              }
            ]
          }
        ]
      }

   5. Use the GET API to verify the new version alias is present in the response JSON