Esxi 6.5 Patch

 admin

VMware ESXi patches are cumulative! Each patch bundle (.zip archive) includes all the updates from prior patches. Upload the patch bundle (zip) to a (central) datastore with the vSphere Client (prior vSphere 6.5), vSphere Web Client, ESXi host client. Name Version Vendor Summary Category Severity Bulletin; cpu-microcode: 7.0.1-0.1: VMware: CPU microcode updates: bugfix: important: ESXi7.0.1-0.1. Process to Download ESXI/vCenter Patches: To download a ESX, ESXi, VEM (patch bundles for Cisco Nexus Virtual Ethernet Module for ESX/ESXi), and vCenter Server patch follow the steps below: Go to the Customer Connect Patch Downloads page. Log in with your Customer Connect credentials.

Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware ESXi is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.

As per the initial VMware Security Advisory, the specified patches should be applied for remediation. Remember, these patches remediate known issues. Watch for additional patches as exploits may continue to surface. If you are needing to patch your ESXi host per the advisory, you can do so through VMware Update Manager (VUM).

Esxi 6.5 patch release

Update – VMware has updated patches to address Hypervisor-Assisted Guest Mitigation (VMSA-2018-0004).

As a recap, patches have been released to address Hypervisor-Specific Remediation (VMSA-2018-0002) and Hypervisor-Assisted Guest Remediation (VMSA-2018-0004). For more detail on mitigation types, check out this VMware KB. In addition to hypervisor patches, VMware has also released patches for vCenter and other virtual appliances (VMSA-2018-0007). Installation instructions can be found here.

VMware Patch Numbers for Hypervisor-Specific Mitigations (VMSA-2018-0002):

  • ESXi 6.5 – ESXi650-201712101-SG
  • ESXi 6.0 – ESXi600-201711101-SG
  • ESXi 5.5 – ESXi550-201709101-SG
    • This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753

VMware Patch Numbers for Hypervisor-Assisted Mitigations (VMSA-2018-0004):

  • ESXi 6.5 – ESXi650-201803401-BG, ESXi650-201803402-BG
  • ESXi 6.0 – ESXi600-201803401-BG, ESXi600-201803402-BG
  • ESXi 5.5 – ESXi550-201803401-BG, ESXi550-201803402-BG

For this example, we will be patching VMware ESXi 6.5 with patch ESXi650-201712101-SG. Additional patches can be applied in the same manner. Read the release notes or security advisories before patching as other components (ie. vCenter) may need to be patched first.

Remediate ESXi

Let’s begin! Log in to the vSphere web client and select the host or cluster for remediation. Locate the Update Manager tab and select Attach Baseline.

From the Patch Baselines, select Non-Critical and Critical Host Patches. Press OK.

Click Scan for Updates, to verify compliance.

If patching is needed, the compliance status will come back as Non-Compliant.

In the non-compliant list, we can see our host is missing the ESXi650-201712101-SG patch.

Next, we will set the remediation options. Click Remediate to begin the process.

Select the patchbaselines to remediate.

Select the host(s) for remediation.

Select the specific patch to apply.

In the Advanced Options section, we can schedule a specific remediation time and/or choose to ignore unsupported items.

Esxi 6.5 Patch

Next, specify Host Remediation Options. Set power state options, disable removable media, and designate maintenance mode retries here.

Esxi 6.5 Patch

Lastly, specify the Cluster Remediation Options. For hosts in a cluster, the remediation process runs in a sequential manner. If you prefer to run the remediation in parallel, indicate that here.

Review selections and click Finish to begin the remediation process.

Esxi 6.5 Patch List

Progress can be monitored in the Recent Tasks pane. Update Manager performs the following remediation items:

Esxi

Esxi 6.5 Patch History

  • Enters host in maintenance mode. Migrating virtual machines to other hosts if applicable.
  • Applies specified patch.
  • Restarts host.
  • Re-connects host to vCenter.
  • Exits host from maintenance mode.
  • Remediates additional host(s) if appropriate.

Esxi 6.5 Patch Download

Once the remediation is complete, the baseline shows compliant.

From early reports, admins will want to patch Guest Operating Systems as well.

Related Posts