VMSA-2025-0004 Online Async Patch Tool Remediation Steps
search cancel

VMSA-2025-0004 Online Async Patch Tool Remediation Steps

book

Article ID: 389714

calendar_today

Updated On:

Products

VMware SDDC Manager VMware Cloud Foundation

Issue/Introduction

Steps to remediate the VMSA-2025-0004 critical vulnerability for 4.x and 5.x VCF environments.

This KB is only applicable to SDDC Manager 4.5.x and 5.1.x.
Use the FLEX B.O.M to apply the ESXi patch in the SDDC UI for SDDC Manager 5.2+.

Environment

  • VCF 4.5.x, 5.1.x
  • ESXi 7.0 U3s build 24585291

Resolution

There is NO workaround. Due to the critical severity of this issue, customers must patch ESXi to secure their VCF environments.

Note:

  • The entire AP Tool operation must be run as the vcf user.
  • Enabling ESXi 8.U2d patch will also update SDDC Manager services on VCF 5.1 and 5.1.1
  • Enabling ESXi 7.U3s patch will also update SDDC Manager services on VCF 4.5.x
  • Once AP tools is enabled, the SDDC Manager UI/API can be used to patch the management/workload domains separately.
  1. Download the latest Async Patch Tool to a computer with access to the SDDC Manager appliance.
  • Option 1: Direct Broadcom Download Link - AP Tool download
  • Option 2:
    1. Log in to Support Broadcom portal
    2. My Downloads > VMware Cloud Foundation >  VMware Cloud Foundation 5.2.1 > Drivers & Tools > Async Patch Tool
  1. Copy the Async Patch Tool to the SDDC Manager appliance and configure it.
  1. SSH into the SDDC Manager appliance using the vcf user account.
    • Note: If an existing or older version of the Async Patch Tool (and older bundles) exists in the following directories, you must remove these files before downloading the latest version using the following command: 
      rm -rf /home/vcf/asyncPatchTool && rm -rf /nfs/vmware/vcf/nfs-mount/apToolBundles 
  2. Create the asyncPatchTool directory:
    mkdir /home/vcf/asyncPatchTool
  3. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) downloaded in step 1 to the /home/vcf/asyncPatchTool directory.
  4. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz. 
    cd /home/vcf/asyncPatchTool
tar -xvf vcf-async-patch-tool-1.2.0.0.tar.gz
  5. Set the permissions for the asyncPatchTool directory. 
    chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool
  1. Take a snapshot of the SDDC Manager VM.

  2. Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
    • 300 = five minutes, generally enough to ensure the connection doesn't time out during download.
    • Example: Putty > Change Settings > Connection > Seconds between keepalives (0 to turn off) > set to 300 > Apply

  3. Enable the async patch with the relevant command below:
​​​​​​​If you connect to the internet through a proxy server, add the --proxyServer--ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.

4.5.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:7.0.3-24585291 --du customer_connect_email  --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE

5.1 & 5.1.1 VMware Cloud Foundation

/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch ESX_HOST:8.0.2-24585300 --du customer_connect_email  --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
  1. Ensure a valid backup of the vCenter before applying the upgrade from SDDC UI.
  2. Log in to the SDDC Manager UI and apply the async patch to all workload domains.

  3. After successfully applying the async patch, use the Async Patch Tool to deactivate the patch.
  1. SSH into the SDDC Manager appliance using the vcf user account.
  2. Run the following command and complete the prompts: 
    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf



Powered by Wolken Software