Best way or how to handle CVE-2021-21972 and CVE-2021-21973 (82374) vulnerabilities

Patch vCenter. One of the vulnerabilities https://kb.vmware.com/s/article/82374 

CVE-2021-21972 

reported is zero day and is rated highest.

Please fix it ASAP or use workaround https://kb.vmware.com/s/article/82374

thanks,
MS

Hi Murali
I guess that is what I am missing the how to. How to do the workaround?
How to fix it?

Thanks so much!

1. Are you affected  .? Use Vrealize?   Is it one of the affected versions?

Follow the instructions @ https://kb.vmware.com/s/article/82374

as a workaround....

It's easy just edit the xml file, - C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml

add

<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>

Restart vCenter Server service or restart server

Not using vrealize.  But actually have three different environments I am concerned about
Maybe the masks for covid have cut off my oxygen supply - but just wasn't clear in what I needed to do.

Thanks

Hey Andrew

I hope you have been well.
Does it matter where I add the line?  I guess any text editor will do - correct, Hell even Word.
Would I be doing the exact same thing for the vsca 6.7 and 7.0 installs?
Thank you so very much

Licompguy

Andrew

I guess I misunderstood, so this only affects vcenter server NOT VCSA - correct?
Thanks!!!
Licompguy

Andrew

As for esx - i guess I jumped the gun too.

I saw the following
VMSA-2021-0002 (CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3992)
VMSA-2019-0022 (CVE-2019-5544), and it seemed like a lot at first

Then I realized, and correct me if I am wrong - if I were simply to go to the latest build - for each ver, should be good across the board
Andrew - I think you once shared with me/us - a paper you wrote or info regarding a super easy upgrade path.
I have to go from vcenter server 6.5 to vcsa
6.7 - > 7.x
and 7.0.1 - to current release.

If I recall I first do the vcenter server to vcsa - then the hosts.  
Would you be kind enough to share that info again?

Thanks!!!!
Be well

LiCompGuy

It affects VCSA and vCenter Server for Windows, you have a choice...

1. either edit the xml file as a workaround, or apply an Update to vCenter Server and VCSA 6.5, 6.7 and 7.0

2. Apply the latest ESXi 6.5, 6.7 and 7.0 and you are done.

VCSA/vCenter Server do first!

Hey Andrew
I see an ISO which I believe is for the vcsa, is there a separate one for the windows based virtual center server?
Would you agree just to go to 7.x on everything? The 6.5, 6.7 single host installs as well.  Doing the sec update or the upgrade, in your experience have been pretty much problem free?

I would LOVE it if you could send me that link for upgrading again.  

Thanks my friend!

LiCompGuy

You will need

6.5

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3n-release-notes.html

6.7

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3l-release-notes.html

and apply these to VCSA or vCenter Server for Windows.

I would not migrate to 7.0, unless you have a requirement for such.

ESXi 6.5 update - ESXi-6.5.0-20210204001-standard (Build 17477841)

esxcli software profile update -p ESXi-6.5.0-20210204001-standard  -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Select allOpen in new window

ESXi 6.7 update - ESXi-6.7.0-20210204001-standard (Build 17499825)

esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Select allOpen in new window

Hey there

Thank you.
Not a big fan of 7.x?  If I am running vcenter server on 6.5, would you simply keep it on windows for now and just do the upgrade to "vCenter Server 6.5 Update 3n | FEB 23 2021 | ISO Build 17590285 "
If that is the case, I would image I can just nail the vcenter server, and when I can get a change THEN go for the hosts - they should be fine if they are different builds of 6.5 vcenter server and esxi - agreed?

IS what you shared above with the upgrades -  been pretty seamless?
Just do the vcenter first then the hosts following your syntax and should be good to go?

I am thinking vcenter  upgrade, then the hot standby host, and then prod.  But no issues really?

I have to regroup and hit the downloads and come up with a game plan, just haven't had a second...

Thanks so very much!!!

yes I'm a fan of 6.5 6.7 and 7.0

you need new licenses for 7.0 and need to ensure hardware is on the HCL big steps just to patch a security issue!

I'm not a fan of vCenter Server for Windoze and would get rid and migrate to VCSA 6.7

but again I'd concentrate on the security issue at hand

Upgrades is another project

Thank you Andrew

I have to check to see, you probably know off the top of your head, but if I want to get off WIndows in the 6.5 environment, do I need a different installer for vcsa?  I will the moment I can breathe.  From 6.5 vcenter to vcsa 6.5 - It doesn't ask for license info does it, I am so sorry - I have to login and look.  

I think it just pulls the info fro vcenter serv and even leave it intact if I remember correctly. Then decom vcenter serv and update esxi

The update for 6.5 has been pretty reliable in your experience, hasn't broken anything?

Of course - intelligent call.

Andrew - really, thanks!

Just use VCSA 6.7 installer and Mugrate! From Windoze 6.5 to 6.7 VCSA

All are very stable products

6.7 can manage 6.5 and 6.7 hosts

Andrew

Don't take this the wrong way, but you are awesome.  I will just have to see if it breaks veeam, but should be an easy fix.

Thanks.

Andrew

If you don't mind me asking for the 6.5.0.24750  Windoz Vcenter server to vcsa - Do I need this first, VMware-VCSA-all-6.7.0-17028579.iso   and then this VMware-vCenter-Server-Appliance-6.7.0.46000-17138064-patch-FP.iso? Correct?
No license changes, and then I can nail the hosts when I can get an outage.

Thank you again

Be well

Correct.

Hey Andrew

Super dumb question, I genreally would never do it during prod hours, but really is there any reason why upgrading vcenter to vcsa or vca to vcsa - could interupt access to the guests on the hosts?  I generally would never take the chance, just curious

Thanks again!

It should not do, because it's just a management server, and does not affect hosts or running VMs.

Hey Andrew
I hope you are well
I updated the VCSA 7.0.1 is now showing as 7.0.1.00300
The esxi host is 7.0.1 build 16850804 –
Am I missing something – was there a critical update for the esxi host as well – I don’t see it.
Jeez - can't remember how to determine this!
If there is can I trouble you for the syntax, and you determine which file you were downloading via esxcli?  I am unclear on how it works – thanks so much

Heading to office 6.7.0.4000
I will proceed the same way with vcsa
You gave me the below - I have to ask, I can't see clearly where the "

ESXi-6.7.0-20210204001-standard"

Select allOpen in new window

came from, how it was determined, I guess you are instructing esxcli to pull this specific file from vmware?

esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Select allOpen in new window

Thanks so much,

ESXi-6.7.0-20210204001-standard this is the profile (patch) you are downloading.

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html

Build:      17499825

Okay so this tells esxcli to  pull this specific file down from vmware/software

esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

What I am not seeing, I bet I missed it, is how did you determine that - that is the specific file needed for this vulnerability? So I know what I need for 6.5, 7 etc.  That is what I seem to be missing (among other things ;-))

Thanks again!

Was trying to figure out specifically what I need for the 7.0.1 build 16850804 esxi host
So if I can determine what the heck I missed in determining the file(s) need, it would be a huge help!

Thanks Andrew

When I login and look for patches it shows as "ESXi670-202102001.zip"

So seeing this confuses me "

esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml"

Select allOpen in new window

Thanks!

What I am not seeing, I bet I missed it, is how did you determine that - that is the specific file needed for this vulnerability? So I know what I need for 6.5, 7 etc.  That is what I seem to be missing (among other things ;-))

that's because I did that for you!

Fixed in Build Build:      17499825.

but if you look at this profile, and then work with

ESXi-6.7.0-20210204001-standard

this link
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html

or from CVE-2021-21974

ESXi670-202102401-SG


https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html

search this document and you'll find the Image Profile to download, as homework I'll klet you do 7.x.



You'll find the CVE, or work the other way

When I login and look for patches it shows as "ESXi670-202102001.zip"

that is a file you can use in the old fashioned method... offline from datastore...

Part 12: HOW TO: Update VMware ESXi 6.7 to ESXi 7.0 GA in 5 easy steps.

if you want to do direct from internet, no need to download the zip file you can do direct...

Part 13: HOW TO: Update VMware ESXi 6.7 to ESXi 7.0 GA direct from VMware.

Hey!
Thanks for the homework!
So it looks like the update for 6.7 just came out on 2/23/2021

Have you ever seen running this upgrade process break the host/VMs - or has it really been reliable?

I would think the file I need to address this vulnerability for 7.0 is
but it was updated 12/17/2020 - I thought this vulnerability was just discovered.
But based on what I am seeing - unless I am incorrect, the file I would need to address this critical vulnerability for 7.0 would be ESXi-7.0U1c-17325551-standard. (To download direct from the internet)
Correct?

Would Advisory - vmsa-20210-0003 be cumulative of -0002 etc?

Do I have the option of SSH-ing to the console of the ESX server - or running this directly from the host?
"esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml"

Thank you, Thank you, Thank you!

Hey!
Thanks for the homework!
So it looks like the update for 6.7 just came out on 2/23/2021

Have you ever seen running this upgrade process break the host/VMs - or has it really been reliable?

Yes, the update was published shortly after the Security Info Release.

I've never seen a host which has been upgraded fail, it will either complete or note complete, and in the event you need to rollback, Shift-R.

If you do not feel comfortable doing this, then update via ISO (CDROM), Update Manager or as per my EE Article.

That is the correct download, but there is a later one in Feb, you may be getting confused with the different Security issues which exist in VCSA/vCenter Server and ESXi, which were discovered at different times.

Do I have the option of SSH-ing to the console of the ESX server - or running this directly from the host?
"esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml"

Thank you, Thank you, Thank you!

which ever is easier for you.

If you just download all the latest patches that exist and patch ESXi and VCSA you are done, at this present time, all patches are cummulative.

Hey there! - Odd the current build of vcenter server running on windows does not display the build # anywhere within the client. All I see is under help about and it gives the client  ver of 6.5.0.5300

Do I need to check this so I know the vcenter mig from 6.5 to vcsa - will be supported by the current vcsa 6.7 iso?

(On Win Server) Under add/remove programs it shows it as ver 6.5.0.24750.  Was trying to confirm if I can go to the latest build of 6.7 vcsa from vcenter - sure it shows the hosts are on 6.5.0.5310538.
Judy  trying to be safe.  Does it matter?  If so, where else might I look?  Maybe it doesn't display it in the partially functional html 5 client?

Thanks!

Hey there! - Odd the current build of vcenter server running on windows does not display the build # anywhere within the client. All I see is under help about and it gives the client  ver of 6.5.0.5300

Do I need to check this so I know the vcenter mig from 6.5 to vcsa - will be supported by the current vcsa 6.7 iso?

I would not trouble yourself by trying to find it, there are enough issues with MIGRATION, if it cannot migrate it will tell you, if it does migrate without error YOU ARE VERY LUCKY!!!

Just stick in the latest VCSA ISO, and MIGRATE away...

Andrew

Thank you so very much. Did it!  VCSA on 6.7.0.46000 from the 6.5 Windows Vcenter server.  However when going in via port 5480, and update it does not see the iso.  I had copied the iso over to the vmfs share, and mounted it/connected but it doesnit see it.  I selected checkupdates cd/url - set to autocheck also and it shows nothing.  Something you can think of that I should be checking

Awesome - my friend, thank you much

try online update to update

Hey Andrew

I am thinking it is my mistake.  The build I downloaded was already 17138064, the update was 17138064, so the full install apparently already had the sec fix in it.

Back to the hosts
Thanks so very very much.  Enjoy your day!

nothing to do....

the update panel in VAMI will let you know if there is an update to apply.

Andrew
I hope you are doing well.  Thanks to you I had updated all VCSA servers, and a Vcenter to latest build
Target esxi this weekend - not clear on something with the image names.
It does seem like all image files are cumulative correct?
Secondly, I see which image file you selected "ESXi-6.5.0-20210204001-standard, I just understand the last 2 image files below - what am I missing?
Thanks and be well!

no VMware Tools included

I think I was unclear I meant the last two, I would think you would select the first two image files, what are these then?  It wasn't clear
Thanks!

s - different patch, refer to VMware Knowledge base, which you should always do when patching.

Hey Andrew - well for the life of me, ssh via putty wouldn't work but I was able to install it on one of the hosts for 6.5, thanks to you!  Andrew - what surprised me was after rebooting, I now get a warning which I did not get before regarding cve-2018-3646.   Current build 6.5 17477841, previous build 5310538 prior to the sec update.

Do you have concern over this for your servers?  Thanks again!!!!!

You've not updated in a while!

You need to read up about Spectre, Meltdown and L1 Side Channel!

Yes, we have a concern, and if you NOT WHY PATCH ANYTHING!

I posted this on EE in 2019 !!!

https://www.experts-exchange.com/posts/5933/If-after-applying-VMware-vSphere-ESXi-security-update.html

Hey Andrew I apparently need to make more time to catch up on this. So then I guess the patches are not cumulative, the latest security update will not address cve-2018-3646.

What would you suggest would be best practices, to make sure ALL critical sec updates are addressed if they are not cumulative?  I have a 6.5/6.7/7.0 office.
It is time to standardize again, in terms of best practices.  Thanks in advance for sharing your expertise

Patches are ALL cumulative, but there is a setting which needs changing, and YOU MUST read the patch info, because this patch can reduce performance!

Spectre, Meltdown, L1 Side channel,  are ALL INTEL CPU BUGS!

and patches come in several parts.

Please post a new question.