VMSA-2024-0019 Online AP Tool Remediation Steps for VCF 4.x
search cancel

VMSA-2024-0019 Online AP Tool Remediation Steps for VCF 4.x

book

Article ID: 377444

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

Consolidated AP Patching steps to remediate the VMSA-2024-0019 vulnerability for VCF 4.x environments.

vCenter Server critical vulnerability (9.8) outlined in VMSA-2024-0019

Note: If SDDC Manager is on a 5.x release please follow the steps in KB 377430

Note: Applying the vCenter Async Patch could generate a "back in time" scenario which could block future upgrades.


Environment

VMware Cloud Foundation 4.x

Cause

Due to no workaround and the critical severity of this issue, customers must patch vCenter to secure their VCF environments.

Resolution

Please note the following:

  • The entire AP Tool operation must be run as the vcf user.
  • Enabling VC 7.0U3s patch will also update SDDC Manager services on VCF 4.4.0.0, 4.4.1.1, 4.5.0.0 and 4.5.1.0
  1. Download the latest Async Patch Tool to a computer with access to the SDDC Manager appliance.
  • Option 1: Direct Download Link - AP Tool download
  • Option 2:
    1. Log in to Broadcom Support Portal
    2. Navigate to the Async Patch Download: Software > VMware Cloud Foundation > My Downloads > VMware Cloud Foundation > VMware Cloud Foundation 5.2 > Drivers & Tools > Async Patch Tool
  1. Copy the Async Patch Tool to the SDDC Manager appliance and configure it.
  1. SSH into the SDDC Manager appliance using the vcf user account.

Note: If an existing or older version of the Async Patch Tool (and older bundles) exists in the following directories, you must remove these files before downloading the latest version using the following command: rm -rf /home/vcf/asyncPatchTool && rm -rf /nfs/vmware/vcf/nfs-mount/apToolBundles 

  1. Create the asyncPatchTool directory:
mkdir /home/vcf/asyncPatchTool
  1. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) downloaded in step 1 to the /home/vcf/asyncPatchTool directory.
  2. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz.

cd /home/vcf/asyncPatchTool

tar -xvf vcf-async-patch-tool-1.2.0.0.tar.gz
  1. Set the permissions for the asyncPatchTool directory.
chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool
  1. Take a snapshot of the SDDC Manager VM.
  2. Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
    • 300 = five minutes, generally enough to ensure the connection doesn't time out during download.
    • Example: Putty > Change Settings > Connection > Seconds between keepalives (0 to turn off) > set to 300 > Apply
  3. Enable the async patch with the relevant command below:
​​​​​​​If you connect to the internet through a proxy server, add the --proxyServer--ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.

4.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.02100-24201990 --du customer_connect_email  --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE

4.x VMware Cloud Foundation on Dell EMC VxRail:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.02100-24201990 --du customer_connect_email  --sddcSSOUser SSOuser --pdu dell_emc_depot_email --sddcSSHUser vcf --it ONLINE

  1. Ensure a valid backup of the vCenter before applying the upgrade from SDDC UI.
  2. Log in to the SDDC Manager UI and apply the async patch to all workload domains
  3. After successfully applying the async patch, use the Async Patch Tool to deactivate the patch.
  1. SSH into the SDDC Manager appliance using the vcf user account.
  2. Run the following command and complete the prompts:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf