Consolidated Offline AP Patching steps to remediate the VMSA-2023-0023 vulnerability for 4.x and 5.x VCF environments.
1. Download the latest Async Patch Tool to a computer that has access to the internet and the SDDC Manager appliance
a. Log in to VMware Customer Connect
b. Navigate to the Async Patch Download: Products and Accounts > All Products > VMware Cloud Foundation > VMware Cloud Foundation Tools > Drivers & Tools > Async Patch Tool > GO TO DOWNLOADS > DOWNLOAD NOW
2. Extract vcf-async-patch-tool-<version>.tar.gz.
3. Navigate to vcf-async-patch-tool-<version>/bin and confirm that you have execute permissions.
4. Run the download from the AP Tool.
If you connect to the internet through a proxy server, use the --proxyServer, --ps
option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port
.
For VxRail environments please add the following flags to the download command:
--sku VCF_ON_VXRAIL --pdu dell_emc_depot_email
4.x Linux:
./vcf-async-patch-tool -d --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email
4.x Windows:
vcf-async-patch-tool.bat -d --patch VCENTER:7.0.3.01700-22357613 --du customer_connect_email
5.x Linux:
./vcf-async-patch-tool -d --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email
5.x Windows:
vcf-async-patch-tool.bat -d --patch VCENTER:8.0.1.00400-22368047 --du customer_connect_email
Example output:
5.SSH into the SDDC Manager using the vcf user account and create the following directory:
mkdir /nfs/vmware/vcf/nfs-mount/apToolBundles
6.Copy the patch and set permissions.
a. Copy the entire output directory from the local computer (for example, apToolBundles) to the SDDC Manager appliance.
b. SSH in to the SDDC Manager appliance using the vcf user account.
c. Update the permissions on the apToolBundle directory.
chmod -R 755 /nfs/vmware/vcf/nfs-mount/apToolBundles && chown -R vcf:vcf /nfs/vmware/vcf/nfs-mount/apToolBundles
7. Copy the Async Patch Tool to the SDDC Manager appliance and configure it for use.
a. SSH in to the SDDC Manager appliance using the vcf user account.
Note:If an existing or older version of the Async Patch Tool exists in the directory, you will need to remove these files before downloading the latest version of the Async Patch Tool.
rm -r /home/vcf/asyncPatchTool
b. Create the asyncPatchTool directory.
mkdir /home/vcf/asyncPatchTool
c. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) that you downloaded in step 1 to the /home/vcf/asyncPatchTool directory.
d. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz.
cd /home/vcf/asyncPatchTool
tar -xvf vcf-async-patch-tool-1.1.0.2.tar.gz
e. Set the permissions for the asyncPatchTool directory.
chmod -R 755 /home/vcf/asyncPatchTool && chown -R vcf:vcf /home/vcf/asyncPatchTool
8. Take a snapshot of the SDDC Manager VM
9. Enable the async patch with the relevant command below:
4.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:7.0.3.01700-22357613 --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE
5.x VMware Cloud Foundation:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool -e --patch VCENTER:8.0.1.00400-22368047 --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles --it OFFLINE
10. Ensure there is a valid backup of the vCenter before applying upgrade from SDDC UI.
Please see KB: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
11. Log in to the SDDC Manager UI and apply the async patch to all workload domains
12. After the async patch is successfully applied, use the Async Patch Tool to deactivate the patch.
a. SSH in to the SDDC Manager appliance using the vcf user account.
b. Run the following command and complete prompts:
/home/vcf/asyncPatchTool/bin/vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf
Due to no workaround and the critical severity of this issue, customers must patch vCenter to secure their VCF environments.
Async Patch Tool 1.1.0.2 - https://docs.vmware.com/en/VMware-Cloud-Foundation/services/ap-tool/GUID-49818DF1-94EA-4C85-8CB6-6EFFCE5F8060.html