VMSA-2023-0023 Offline AP Tool Remediation Steps
search cancel

VMSA-2023-0023 Offline AP Tool Remediation Steps

book

Article ID: 327210

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

vCenter Server critical vulnerability (9.8) outlined in VMSA-2023-0023

Environment

VMware Cloud Foundation 4.x
VMware Cloud Foundation 5.x

Cause

Consolidated Offline AP Patching steps to remediate the VMSA-2023-0023 vulnerability for 4.x and 5.x VCF environments.

Resolution

  • The entire AP Tool operation must be run as the vcf user.
  • Enabling VC 8.0U1d patch will also update SDDC Manager services on VCF 5.0.0.0
  • Enabling VC 7.0U3o patch will also update SDDC Manager services on VCF 4.3.1.1, 4.4.0.0, 4.4.1.1, 4.5.0.0 and 4.5.1.0
  • Additional bundles may be downloaded during the bundle download process. 
  1. Download the latest Async Patch Tool to a computer that has access to the internet and the SDDC Manager appliance
    • Log in to VMware Customer Connect
    • Navigate to the Async Patch Download: Products and Accounts > All Products > VMware Cloud Foundation > VMware Cloud Foundation Tools > Drivers & Tools > Async Patch Tool > GO TO DOWNLOADS > DOWNLOAD NOW

  2. Extract vcf-async-patch-tool-<version>.tar.gz
  3. Navigate to vcf-async-patch-tool-<version>/bin and confirm that you have execute permissions.

    Run the download from the AP Tool.

    If connecting to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port

    For VxRail environments, add the following flags to the download command:

    --sku VCF_ON_VXRAIL --pdu dell_emc_depot_email

    4.x Linux:
    ./vcf-async-patch-tool -d --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email

    4.x Windows:
    vcf-async-patch-tool.bat -d --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email

    5.x Linux:
    ./vcf-async-patch-tool -d --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email

    5.x Windows:
    vcf-async-patch-tool.bat -d --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email

    Example Output

  4.  SSH into the SDDC Manager using the vcf user account and create the following directory:

    mkdir /nfs/vmware/vcf/nfs-mount/apToolBundles

  5. Copy the patch and set permissions.
    • Copy the entire output directory from the local computer (for example, apToolBundles) to the SDDC Manager appliance.
    • SSH in to the SDDC Manager appliance using the vcf user account.
    • Update the permissions on the apToolBundle directory.

      chmod -R 755 /nfs/vmware/vcf/nfs-mount/apToolBundles && chown -R vcf:vcf /nfs/vmware/vcf/nfs-mount/apToolBundles

  6. Copy the Async Patch Tool to the SDDC Manager appliance and configure it for use.
    • SSH in to the SDDC Manager appliance using the vcf user account.
      • Note: If an existing or older version of the Async Patch Tool exists in the directory, remove these files before downloading the latest version of the Async Patch Tool

        rm -r /home/vcf/asyncPatchTool

    •  Create the asyncPatchTool directory

      mkdir /home/vcf/asyncPatchTool

    • Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) downloaded in step 1 to the home/vcf/asyncPatchTool directory.
    • Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz

      cd /home/vcf/asyncPatchTool
      tar -xvf vcf-async-patch-tool-1.1.0.2.tar.gz

    • Set the permissions for the asyncPatchTool directory.

      chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool

  7. Take a snapshot of the SDDC Manager VM
  8. Enable the async patch with the relevant command below

    4.x VMware Cloud Foundation:
    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE

    5.x VMware Cloud Foundation:
    /home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE

  9. Ensure there is a valid backup of the vCenter before applying upgrade from SDDC UI.

    Please see KB: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

  10. Log in to the SDDC Manager UI and apply the async patch to all workload domains
  11. After the async patch is successfully applied, use the Async Patch Tool to deactivate the patch.

a. SSH in to the SDDC Manager appliance using the vcf user account.
b. Run the following command and complete prompts:

/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf


Workaround

Due to no workaround and the critical severity of this issue, customers must patch vCenter to secure their VCF environments.

Additional Information

Async Patch Tool 1.1.0.2 - https://docs.vmware.com/en/VMware-Cloud-Foundation/services/ap-tool/GUID-49818DF1-94EA-4C85-8CB6-6EFFCE5F8060.html


Powered by Wolken Software