During the time of writing the latest update was update-from-esxi5.5-5.5update.zip. Before starting you might want to backup your configuration (in case something goes wrong) – Backup and Restore ESXi Configuration with PowerCLI. Choose the ESXi embedded and installable, and the version you want to patch (5.0, 5.1 or 5.5). The typical way to apply patches to ESXi hosts is by using the VMware vSphere Update Manager. For details, see About Installing and Administering VMware vSphere Update Manager. ESXi hosts can be updated by manually downloading the patch ZIP file from the VMware download page and installing the VIB by using the esxcli software vib command. Power off all virtual machines or vMotion them to a different ESX host. Place the ESX host into maintenance mode. Right-click on the ESX host, select Enter Maintenance Mode, and click Yes. Right-click on the ESX host and select Remediate Critical Host Patches and Non-Critical Host Patches baselines and click Next. ESXi 6.5 U3 May 2021 – Support Gen9 Servers and forward.For Synergy Servers, refer to. For customers already using VMware ESXi, it is recommended that you update to the latest version on their supported at your earliest convenience.
Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware ESXi is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.
As per the initial VMware Security Advisory, the specified patches should be applied for remediation. Remember, these patches remediate known issues. Watch for additional patches as exploits may continue to surface. If you are needing to patch your ESXi host per the advisory, you can do so through VMware Update Manager (VUM).
Update – VMware has updated patches to address Hypervisor-Assisted Guest Mitigation (VMSA-2018-0004).
Process to Download ESXI/vCenter Patches: To download a ESX, ESXi, VEM (patch bundles for Cisco Nexus Virtual Ethernet Module for ESX/ESXi), and vCenter Server patch follow the steps below: Go to the Customer Connect Patch Downloads page. Log in with your Customer Connect credentials.
As a recap, patches have been released to address Hypervisor-Specific Remediation (VMSA-2018-0002) and Hypervisor-Assisted Guest Remediation (VMSA-2018-0004). For more detail on mitigation types, check out this VMware KB. In addition to hypervisor patches, VMware has also released patches for vCenter and other virtual appliances (VMSA-2018-0007). Installation instructions can be found here.
VMware Patch Numbers for Hypervisor-Specific Mitigations (VMSA-2018-0002):
- ESXi 6.5 – ESXi650-201712101-SG
- ESXi 6.0 – ESXi600-201711101-SG
- ESXi 5.5 – ESXi550-201709101-SG
- This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753
VMware Patch Numbers for Hypervisor-Assisted Mitigations (VMSA-2018-0004):
- ESXi 6.5 – ESXi650-201803401-BG, ESXi650-201803402-BG
- ESXi 6.0 – ESXi600-201803401-BG, ESXi600-201803402-BG
- ESXi 5.5 – ESXi550-201803401-BG, ESXi550-201803402-BG
For this example, we will be patching VMware ESXi 6.5 with patch ESXi650-201712101-SG. Additional patches can be applied in the same manner. Read the release notes or security advisories before patching as other components (ie. vCenter) may need to be patched first.
Remediate ESXi
Let’s begin! Log in to the vSphere web client and select the host or cluster for remediation. Locate the Update Manager tab and select Attach Baseline.
From the Patch Baselines, select Non-Critical and Critical Host Patches. Press OK.
Esxi 6.5 Patch Release
Click Scan for Updates, to verify compliance.
If patching is needed, the compliance status will come back as Non-Compliant.
In the non-compliant list, we can see our host is missing the ESXi650-201712101-SG patch.
Next, we will set the remediation options. Click Remediate to begin the process.
Select the patchbaselines to remediate.
Select the host(s) for remediation.
Select the specific patch to apply.
In the Advanced Options section, we can schedule a specific remediation time and/or choose to ignore unsupported items.
Next, specify Host Remediation Options. Set power state options, disable removable media, and designate maintenance mode retries here.
Esxi 6.5 Patch
Lastly, specify the Cluster Remediation Options. For hosts in a cluster, the remediation process runs in a sequential manner. If you prefer to run the remediation in parallel, indicate that here.
Review selections and click Finish to begin the remediation process.
Progress can be monitored in the Recent Tasks pane. Update Manager performs the following remediation items:
- Enters host in maintenance mode. Migrating virtual machines to other hosts if applicable.
- Applies specified patch.
- Restarts host.
- Re-connects host to vCenter.
- Exits host from maintenance mode.
- Remediates additional host(s) if appropriate.
Esxi 6.5 Patch Update
Once the remediation is complete, the baseline shows compliant.
Esxi 6.5 Patches
From early reports, admins will want to patch Guest Operating Systems as well.
Esxi 6.5 Patch Version
Related Posts