LICOMPGUY
asked on
Best way or how to handle CVE-2021-21972 and CVE-2021-21973 (82374) vulnerabilities
Hi all
I have a small environment running virtual center server on windows 6.5.0.24750 and the two esxi hosts are esx 6.5.0 5310538.
I am unclear on the latest vulnerabilities (mentioned above), what I have to do to resolve it, and or if it makes sense just to upgrade.
Everything is behind a sonicwall firewall, should I be concerned? Is there a lot of exposure?
I am fine moving it to vcsa
How would you approach it?
Thanks!
Licompguy
I have a small environment running virtual center server on windows 6.5.0.24750 and the two esxi hosts are esx 6.5.0 5310538.
I am unclear on the latest vulnerabilities (mentioned above), what I have to do to resolve it, and or if it makes sense just to upgrade.
Everything is behind a sonicwall firewall, should I be concerned? Is there a lot of exposure?
I am fine moving it to vcsa
How would you approach it?
Thanks!
Licompguy
ASKER
Hi Murali
I guess that is what I am missing the how to. How to do the workaround?
How to fix it?
Thanks so much!
I guess that is what I am missing the how to. How to do the workaround?
How to fix it?
Thanks so much!
1. Are you affected .? Use Vrealize? Is it one of the affected versions?
Follow the instructions @ https://kb.vmware.com/s/article/82374
Follow the instructions @ https://kb.vmware.com/s/article/82374
as a workaround....
It's easy just edit the xml file, - C:\ProgramData\VMware\vCen terServer\ cfg\vspher e-ui\compa tibility-m atrix.xml
add
<PluginPackage id="com.vmware.vrops.insta ll" status="incompatible"/>
Restart vCenter Server service or restart server
It's easy just edit the xml file, - C:\ProgramData\VMware\vCen
add
<PluginPackage id="com.vmware.vrops.insta
Restart vCenter Server service or restart server
ASKER
Not using vrealize. But actually have three different environments I am concerned about
Maybe the masks for covid have cut off my oxygen supply - but just wasn't clear in what I needed to do.
Thanks
Maybe the masks for covid have cut off my oxygen supply - but just wasn't clear in what I needed to do.
Thanks
ASKER
Hey Andrew
I hope you have been well.
Does it matter where I add the line? I guess any text editor will do - correct, Hell even Word.
Would I be doing the exact same thing for the vsca 6.7 and 7.0 installs?
Thank you so very much
Licompguy
I hope you have been well.
Does it matter where I add the line? I guess any text editor will do - correct, Hell even Word.
Would I be doing the exact same thing for the vsca 6.7 and 7.0 installs?
Thank you so very much
Licompguy
ASKER
Andrew
I guess I misunderstood, so this only affects vcenter server NOT VCSA - correct?
Thanks!!!
Licompguy
I guess I misunderstood, so this only affects vcenter server NOT VCSA - correct?
Thanks!!!
Licompguy
ASKER
Andrew
As for esx - i guess I jumped the gun too.
I saw the following
VMSA-2021-0002 (CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3992)
VMSA-2019-0022 (CVE-2019-5544), and it seemed like a lot at first
Then I realized, and correct me if I am wrong - if I were simply to go to the latest build - for each ver, should be good across the board
Andrew - I think you once shared with me/us - a paper you wrote or info regarding a super easy upgrade path.
I have to go from vcenter server 6.5 to vcsa
6.7 - > 7.x
and 7.0.1 - to current release.
If I recall I first do the vcenter server to vcsa - then the hosts.
Would you be kind enough to share that info again?
Thanks!!!!
Be well
LiCompGuy
As for esx - i guess I jumped the gun too.
I saw the following
VMSA-2021-0002 (CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3992)
VMSA-2019-0022 (CVE-2019-5544), and it seemed like a lot at first
Then I realized, and correct me if I am wrong - if I were simply to go to the latest build - for each ver, should be good across the board
Andrew - I think you once shared with me/us - a paper you wrote or info regarding a super easy upgrade path.
I have to go from vcenter server 6.5 to vcsa
6.7 - > 7.x
and 7.0.1 - to current release.
If I recall I first do the vcenter server to vcsa - then the hosts.
Would you be kind enough to share that info again?
Thanks!!!!
Be well
LiCompGuy
It affects VCSA and vCenter Server for Windows, you have a choice...
1. either edit the xml file as a workaround, or apply an Update to vCenter Server and VCSA 6.5, 6.7 and 7.0
2. Apply the latest ESXi 6.5, 6.7 and 7.0 and you are done.
VCSA/vCenter Server do first!
1. either edit the xml file as a workaround, or apply an Update to vCenter Server and VCSA 6.5, 6.7 and 7.0
2. Apply the latest ESXi 6.5, 6.7 and 7.0 and you are done.
VCSA/vCenter Server do first!
ASKER
Hey Andrew
I see an ISO which I believe is for the vcsa, is there a separate one for the windows based virtual center server?
Would you agree just to go to 7.x on everything? The 6.5, 6.7 single host installs as well. Doing the sec update or the upgrade, in your experience have been pretty much problem free?
I would LOVE it if you could send me that link for upgrading again.
Thanks my friend!
LiCompGuy
I see an ISO which I believe is for the vcsa, is there a separate one for the windows based virtual center server?
Would you agree just to go to 7.x on everything? The 6.5, 6.7 single host installs as well. Doing the sec update or the upgrade, in your experience have been pretty much problem free?
I would LOVE it if you could send me that link for upgrading again.
Thanks my friend!
LiCompGuy
You will need
6.5
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3n-release-notes.html
6.7
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3l-release-notes.html
and apply these to VCSA or vCenter Server for Windows.
I would not migrate to 7.0, unless you have a requirement for such.
ESXi 6.5 update - ESXi-6.5.0-20210204001-sta ndard (Build 17477841)
ESXi 6.7 update - ESXi-6.7.0-20210204001-sta ndard (Build 17499825)
6.5
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3n-release-notes.html
6.7
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3l-release-notes.html
and apply these to VCSA or vCenter Server for Windows.
I would not migrate to 7.0, unless you have a requirement for such.
ESXi 6.5 update - ESXi-6.5.0-20210204001-sta
esxcli software profile update -p ESXi-6.5.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
ESXi 6.7 update - ESXi-6.7.0-20210204001-sta
esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
ASKER
Hey there
Thank you.
Not a big fan of 7.x? If I am running vcenter server on 6.5, would you simply keep it on windows for now and just do the upgrade to "vCenter Server 6.5 Update 3n | FEB 23 2021 | ISO Build 17590285 "
If that is the case, I would image I can just nail the vcenter server, and when I can get a change THEN go for the hosts - they should be fine if they are different builds of 6.5 vcenter server and esxi - agreed?
IS what you shared above with the upgrades - been pretty seamless?
Just do the vcenter first then the hosts following your syntax and should be good to go?
I am thinking vcenter upgrade, then the hot standby host, and then prod. But no issues really?
I have to regroup and hit the downloads and come up with a game plan, just haven't had a second...
Thanks so very much!!!
Thank you.
Not a big fan of 7.x? If I am running vcenter server on 6.5, would you simply keep it on windows for now and just do the upgrade to "vCenter Server 6.5 Update 3n | FEB 23 2021 | ISO Build 17590285 "
If that is the case, I would image I can just nail the vcenter server, and when I can get a change THEN go for the hosts - they should be fine if they are different builds of 6.5 vcenter server and esxi - agreed?
IS what you shared above with the upgrades - been pretty seamless?
Just do the vcenter first then the hosts following your syntax and should be good to go?
I am thinking vcenter upgrade, then the hot standby host, and then prod. But no issues really?
I have to regroup and hit the downloads and come up with a game plan, just haven't had a second...
Thanks so very much!!!
yes I'm a fan of 6.5 6.7 and 7.0
you need new licenses for 7.0 and need to ensure hardware is on the HCL big steps just to patch a security issue!
I'm not a fan of vCenter Server for Windoze and would get rid and migrate to VCSA 6.7
but again I'd concentrate on the security issue at hand
Upgrades is another project
you need new licenses for 7.0 and need to ensure hardware is on the HCL big steps just to patch a security issue!
I'm not a fan of vCenter Server for Windoze and would get rid and migrate to VCSA 6.7
but again I'd concentrate on the security issue at hand
Upgrades is another project
ASKER
Thank you Andrew
I have to check to see, you probably know off the top of your head, but if I want to get off WIndows in the 6.5 environment, do I need a different installer for vcsa? I will the moment I can breathe. From 6.5 vcenter to vcsa 6.5 - It doesn't ask for license info does it, I am so sorry - I have to login and look.
I think it just pulls the info fro vcenter serv and even leave it intact if I remember correctly. Then decom vcenter serv and update esxi
The update for 6.5 has been pretty reliable in your experience, hasn't broken anything?
Of course - intelligent call.
Andrew - really, thanks!
I have to check to see, you probably know off the top of your head, but if I want to get off WIndows in the 6.5 environment, do I need a different installer for vcsa? I will the moment I can breathe. From 6.5 vcenter to vcsa 6.5 - It doesn't ask for license info does it, I am so sorry - I have to login and look.
I think it just pulls the info fro vcenter serv and even leave it intact if I remember correctly. Then decom vcenter serv and update esxi
The update for 6.5 has been pretty reliable in your experience, hasn't broken anything?
Of course - intelligent call.
Andrew - really, thanks!
Just use VCSA 6.7 installer and Mugrate! From Windoze 6.5 to 6.7 VCSA
All are very stable products
6.7 can manage 6.5 and 6.7 hosts
All are very stable products
6.7 can manage 6.5 and 6.7 hosts
ASKER
Andrew
Don't take this the wrong way, but you are awesome. I will just have to see if it breaks veeam, but should be an easy fix.
Thanks.
Don't take this the wrong way, but you are awesome. I will just have to see if it breaks veeam, but should be an easy fix.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Andrew
If you don't mind me asking for the 6.5.0.24750 Windoz Vcenter server to vcsa - Do I need this first, VMware-VCSA-all-6.7.0-17028579.iso and then this VMware-vCenter-Server-Appliance-6.7.0.46000-17138064-patch-FP.iso? Correct?
No license changes, and then I can nail the hosts when I can get an outage.
Thank you again
Be well
If you don't mind me asking for the 6.5.0.24750 Windoz Vcenter server to vcsa - Do I need this first, VMware-VCSA-all-6.7.0-17028579.iso and then this VMware-vCenter-Server-Appliance-6.7.0.46000-17138064-patch-FP.iso? Correct?
No license changes, and then I can nail the hosts when I can get an outage.
Thank you again
Be well
Correct.
ASKER
Hey Andrew
Super dumb question, I genreally would never do it during prod hours, but really is there any reason why upgrading vcenter to vcsa or vca to vcsa - could interupt access to the guests on the hosts? I generally would never take the chance, just curious
Thanks again!
Super dumb question, I genreally would never do it during prod hours, but really is there any reason why upgrading vcenter to vcsa or vca to vcsa - could interupt access to the guests on the hosts? I generally would never take the chance, just curious
Thanks again!
It should not do, because it's just a management server, and does not affect hosts or running VMs.
ASKER
Hey Andrew
I hope you are well
I updated the VCSA 7.0.1 is now showing as 7.0.1.00300
The esxi host is 7.0.1 build 16850804 –
Am I missing something – was there a critical update for the esxi host as well – I don’t see it.
Jeez - can't remember how to determine this!
If there is can I trouble you for the syntax, and you determine which file you were downloading via esxcli? I am unclear on how it works – thanks so much
Heading to office 6.7.0.4000
I will proceed the same way with vcsa
You gave me the below - I have to ask, I can't see clearly where the "
I hope you are well
I updated the VCSA 7.0.1 is now showing as 7.0.1.00300
The esxi host is 7.0.1 build 16850804 –
Am I missing something – was there a critical update for the esxi host as well – I don’t see it.
Jeez - can't remember how to determine this!
If there is can I trouble you for the syntax, and you determine which file you were downloading via esxcli? I am unclear on how it works – thanks so much
Heading to office 6.7.0.4000
I will proceed the same way with vcsa
You gave me the below - I have to ask, I can't see clearly where the "
ESXi-6.7.0-20210204001-standard"
came from, how it was determined, I guess you are instructing esxcli to pull this specific file from vmware?esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
Thanks so much,
ESXi-6.7.0-20210204001-sta ndard this is the profile (patch) you are downloading.
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html
Build: 17499825
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html
Build: 17499825
ASKER
Okay so this tells esxcli to pull this specific file down from vmware/software
esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
What I am not seeing, I bet I missed it, is how did you determine that - that is the specific file needed for this vulnerability? So I know what I need for 6.5, 7 etc. That is what I seem to be missing (among other things ;-))
Thanks again!
esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
What I am not seeing, I bet I missed it, is how did you determine that - that is the specific file needed for this vulnerability? So I know what I need for 6.5, 7 etc. That is what I seem to be missing (among other things ;-))
Thanks again!
ASKER
Was trying to figure out specifically what I need for the 7.0.1 build 16850804 esxi host
So if I can determine what the heck I missed in determining the file(s) need, it would be a huge help!
Thanks Andrew
So if I can determine what the heck I missed in determining the file(s) need, it would be a huge help!
Thanks Andrew
ASKER
When I login and look for patches it shows as "ESXi670-202102001.zip"
So seeing this confuses me "
esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml"
Thanks!
What I am not seeing, I bet I missed it, is how did you determine that - that is the specific file needed for this vulnerability? So I know what I need for 6.5, 7 etc. That is what I seem to be missing (among other things ;-))
that's because I did that for you!
Fixed in Build Build: 17499825.
but if you look at this profile, and then work with
ESXi-6.7.0-20210204001-sta
this link
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html
or from CVE-2021-21974
ESXi670-202102401-SG
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html
search this document and you'll find the Image Profile to download, as homework I'll klet you do 7.x.
You'll find the CVE, or work the other way
When I login and look for patches it shows as "ESXi670-202102001.zip"
that is a file you can use in the old fashioned method... offline from datastore...
Part 12: HOW TO: Update VMware ESXi 6.7 to ESXi 7.0 GA in 5 easy steps.
if you want to do direct from internet, no need to download the zip file you can do direct...
Part 13: HOW TO: Update VMware ESXi 6.7 to ESXi 7.0 GA direct from VMware.
ASKER
Hey!
Thanks for the homework!
So it looks like the update for 6.7 just came out on 2/23/2021
Have you ever seen running this upgrade process break the host/VMs - or has it really been reliable?
I would think the file I need to address this vulnerability for 7.0 is
but it was updated 12/17/2020 - I thought this vulnerability was just discovered.
But based on what I am seeing - unless I am incorrect, the file I would need to address this critical vulnerability for 7.0 would be ESXi-7.0U1c-17325551-standard. (To download direct from the internet)
Correct?
Would Advisory - vmsa-20210-0003 be cumulative of -0002 etc?
Do I have the option of SSH-ing to the console of the ESX server - or running this directly from the host?
"esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml"
Thank you, Thank you, Thank you!
Thanks for the homework!
So it looks like the update for 6.7 just came out on 2/23/2021
Have you ever seen running this upgrade process break the host/VMs - or has it really been reliable?
I would think the file I need to address this vulnerability for 7.0 is
but it was updated 12/17/2020 - I thought this vulnerability was just discovered.
But based on what I am seeing - unless I am incorrect, the file I would need to address this critical vulnerability for 7.0 would be ESXi-7.0U1c-17325551-standard. (To download direct from the internet)
Correct?
Would Advisory - vmsa-20210-0003 be cumulative of -0002 etc?
Do I have the option of SSH-ing to the console of the ESX server - or running this directly from the host?
"esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml"
Thank you, Thank you, Thank you!
Hey!
Thanks for the homework!
So it looks like the update for 6.7 just came out on 2/23/2021
Have you ever seen running this upgrade process break the host/VMs - or has it really been reliable?
Yes, the update was published shortly after the Security Info Release.
I've never seen a host which has been upgraded fail, it will either complete or note complete, and in the event you need to rollback, Shift-R.
If you do not feel comfortable doing this, then update via ISO (CDROM), Update Manager or as per my EE Article.
That is the correct download, but there is a later one in Feb, you may be getting confused with the different Security issues which exist in VCSA/vCenter Server and ESXi, which were discovered at different times.
Do I have the option of SSH-ing to the console of the ESX server - or running this directly from the host?
"esxcli software profile update -p ESXi-6.7.0-20210204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml"
Thank you, Thank you, Thank you!
which ever is easier for you.
If you just download all the latest patches that exist and patch ESXi and VCSA you are done, at this present time, all patches are cummulative.
ASKER
Hey there! - Odd the current build of vcenter server running on windows does not display the build # anywhere within the client. All I see is under help about and it gives the client ver of 6.5.0.5300
Do I need to check this so I know the vcenter mig from 6.5 to vcsa - will be supported by the current vcsa 6.7 iso?
(On Win Server) Under add/remove programs it shows it as ver 6.5.0.24750. Was trying to confirm if I can go to the latest build of 6.7 vcsa from vcenter - sure it shows the hosts are on 6.5.0.5310538.
Judy trying to be safe. Does it matter? If so, where else might I look? Maybe it doesn't display it in the partially functional html 5 client?
Thanks!
Do I need to check this so I know the vcenter mig from 6.5 to vcsa - will be supported by the current vcsa 6.7 iso?
(On Win Server) Under add/remove programs it shows it as ver 6.5.0.24750. Was trying to confirm if I can go to the latest build of 6.7 vcsa from vcenter - sure it shows the hosts are on 6.5.0.5310538.
Judy trying to be safe. Does it matter? If so, where else might I look? Maybe it doesn't display it in the partially functional html 5 client?
Thanks!
Hey there! - Odd the current build of vcenter server running on windows does not display the build # anywhere within the client. All I see is under help about and it gives the client ver of 6.5.0.5300
Do I need to check this so I know the vcenter mig from 6.5 to vcsa - will be supported by the current vcsa 6.7 iso?
I would not trouble yourself by trying to find it, there are enough issues with MIGRATION, if it cannot migrate it will tell you, if it does migrate without error YOU ARE VERY LUCKY!!!
Just stick in the latest VCSA ISO, and MIGRATE away...
ASKER
Andrew
Thank you so very much. Did it! VCSA on 6.7.0.46000 from the 6.5 Windows Vcenter server. However when going in via port 5480, and update it does not see the iso. I had copied the iso over to the vmfs share, and mounted it/connected but it doesnit see it. I selected checkupdates cd/url - set to autocheck also and it shows nothing. Something you can think of that I should be checking
Awesome - my friend, thank you much
Thank you so very much. Did it! VCSA on 6.7.0.46000 from the 6.5 Windows Vcenter server. However when going in via port 5480, and update it does not see the iso. I had copied the iso over to the vmfs share, and mounted it/connected but it doesnit see it. I selected checkupdates cd/url - set to autocheck also and it shows nothing. Something you can think of that I should be checking
Awesome - my friend, thank you much
try online update to update
ASKER
Hey Andrew
I am thinking it is my mistake. The build I downloaded was already 17138064, the update was 17138064, so the full install apparently already had the sec fix in it.
Back to the hosts
Thanks so very very much. Enjoy your day!
I am thinking it is my mistake. The build I downloaded was already 17138064, the update was 17138064, so the full install apparently already had the sec fix in it.
Back to the hosts
Thanks so very very much. Enjoy your day!
nothing to do....
the update panel in VAMI will let you know if there is an update to apply.
the update panel in VAMI will let you know if there is an update to apply.
ASKER
Andrew
I hope you are doing well. Thanks to you I had updated all VCSA servers, and a Vcenter to latest build
Target esxi this weekend - not clear on something with the image names.
It does seem like all image files are cumulative correct?
Secondly, I see which image file you selected "ESXi-6.5.0-20210204001-standard, I just understand the last 2 image files below - what am I missing?
Thanks and be well!
I hope you are doing well. Thanks to you I had updated all VCSA servers, and a Vcenter to latest build
Target esxi this weekend - not clear on something with the image names.
It does seem like all image files are cumulative correct?
Secondly, I see which image file you selected "ESXi-6.5.0-20210204001-standard, I just understand the last 2 image files below - what am I missing?
Thanks and be well!
no VMware Tools included
ASKER
I think I was unclear I meant the last two, I would think you would select the first two image files, what are these then? It wasn't clear
Thanks!
Thanks!
s - different patch, refer to VMware Knowledge base, which you should always do when patching.
ASKER
Hey Andrew - well for the life of me, ssh via putty wouldn't work but I was able to install it on one of the hosts for 6.5, thanks to you! Andrew - what surprised me was after rebooting, I now get a warning which I did not get before regarding cve-2018-3646. Current build 6.5 17477841, previous build 5310538 prior to the sec update.
Do you have concern over this for your servers? Thanks again!!!!!
Do you have concern over this for your servers? Thanks again!!!!!
You've not updated in a while!
You need to read up about Spectre, Meltdown and L1 Side Channel!
Yes, we have a concern, and if you NOT WHY PATCH ANYTHING!
I posted this on EE in 2019 !!!
https://www.experts-exchange.com/posts/5933/If-after-applying-VMware-vSphere-ESXi-security-update.html
You need to read up about Spectre, Meltdown and L1 Side Channel!
Yes, we have a concern, and if you NOT WHY PATCH ANYTHING!
I posted this on EE in 2019 !!!
https://www.experts-exchange.com/posts/5933/If-after-applying-VMware-vSphere-ESXi-security-update.html
ASKER
Hey Andrew I apparently need to make more time to catch up on this. So then I guess the patches are not cumulative, the latest security update will not address cve-2018-3646.
What would you suggest would be best practices, to make sure ALL critical sec updates are addressed if they are not cumulative? I have a 6.5/6.7/7.0 office.
It is time to standardize again, in terms of best practices. Thanks in advance for sharing your expertise
What would you suggest would be best practices, to make sure ALL critical sec updates are addressed if they are not cumulative? I have a 6.5/6.7/7.0 office.
It is time to standardize again, in terms of best practices. Thanks in advance for sharing your expertise
Patches are ALL cumulative, but there is a setting which needs changing, and YOU MUST read the patch info, because this patch can reduce performance!
Spectre, Meltdown, L1 Side channel, are ALL INTEL CPU BUGS!
and patches come in several parts.
Please post a new question.
Spectre, Meltdown, L1 Side channel, are ALL INTEL CPU BUGS!
and patches come in several parts.
Please post a new question.
CVE-2021-21972
reported is zero day and is rated highest.Please fix it ASAP or use workaround https://kb.vmware.com/s/article/82374
thanks,
MS