VMware has made available patches and update releases to address critical security issues for several products including ESX, ESXi, Workstation, and Player. As a best practice, VMware recommends that customers install all security patches to maximize the protection that VMware provides.

This article lists all latest security patches available for VMware ESXi and VMware ESX as of July 12, 2013. Updating to these patches allows you to achieve maximum protection. This list does not include patches obsoleted by the later patches.

This article does not provide information on VMware Workstation or VMware Player. For information on securing these products as well as information on suggested Update Release levels for ESXi and ESX, see Knowledge Base article: VMware Security Patches Upgrade Guide (2019941) 

Security Patch Table

Note: Patches are delivered in RPM or VIB format depending on the ESX/ESXi version. VMware packaging policy dictates that the content of a patch RPM or VIB is cumulative throughout the product support life cycle. For example, if you apply a bulletin containing the highest version of an ESX-base VIB for ESXi 5.0, you do not need to apply the lower versions of ESX-base VIB. All VMware patching tools are able to parse the format of a package’s version and determine the latest packages for installation based on the query baseline.

Finding and Downloading Security Patches

You can find and download patches through the Download Patch Portal or vSphere Update Manager.

• Download Patch Portal. Go to the Download Patch Portal. Use the Search by Product area to select your product and release. Filter your search classification by Security. Your search results should list only bulletin names with an extension of –SG. Search results are in chronological order, from most recent to earliest.

  Use the Download link to download the patches you want to install. If you want only security patches published after a particular ESXi or ESX Update release, download only the patches that have a Release Date later than the Update release running on your hosts. After you download a security patch, follow the installation instructions in the Knowledge Base article that appears in the Bulletin List column of your filtered search.

• vSphere Update Manager. Go to the Update Manager area of the vSphere Client. Update Manager downloads all patch metadata and displays the patches in the Patch Repository area of the user interface, and you can identify the security patches by –SG extension at the end of the bulletin name. Depending on the Update Manager release, you can also find security patches as follows.

  • Update Manager 5.0. Look in the Category column of the Patch Repository table.

  • Update Manager 4.x and earlier. Look in the Severity column of the Patch Repository table.

Installing ESXi and ESX Patches with Update Manager

You can apply security patches through Update Manager host remediation. To remediate a host in Update Manager, create a fixed baseline that defines the patches you want for remediation or a dynamic baseline that defines the category of patches you want for remediation. Then, remediate your hosts against the baseline.

For usage information, read the "Patch Download and Installation" section of the Knowledge Base article for the patch bulletins.

Installing ESXi and ESX Patches with Command Lines

You can install ESXi and ESX security patches by using Command Line interfaces. The method and commands you use depend on the product release and whether you are working with ESXi hosts or ESX hosts.

Installing Patches on ESXi 5.0 Hosts Using the Command Line

Use esxcli commands to install an entire image profile including your security patches or to install a single VIB that contains the specific patches you want.

• To install an entire image profile, execute the following esxcli command.

  esxcli software profile update -d <depot bundle file offline or url zip> -p <profile_name>

  Example:
  esxcli software profile update -d /vmfs/volumes/datastore/ESXi500-201205001.zip -p ESXi-5.0.0-20120504001-standard

Note: Each profile is unique to a patch bundle, refer to the patch release KB for each bundle to obtain a list of available profiles to apply.

• To install a single VIB containing specific security patches, execute the following esxcli command.

  esxcli software vib update -v <viburl>

  Example:
  esxcli software vib update -v http://release/bundle/vib20/tools-light/VMware_locker_tools-light_5.0.0-1.12.653509.vib

For information on using esxcli commands, expand vSphere Command-Line Interface Documentation to view discussions, concepts, and reference material on the vSphere Command-Line Interface. For usage information, read the "Patch Download and Installation" section of the Knowledge Base article for the bulletin.

Installing Patches on ESX 4.x / ESXi 4.x Hosts Using the Command Line

Use esxupdate or vihostupdate to install the patches you want. Your choice depends on whether you are working with ESX hosts or ESXi hosts.

• You can use esxupdate to install a patch on an ESX 4.x host by executing the following command.

  esxupdate -m <metadata.zip> -b <bulletin id> update

  Example, single patch:
  esxupdate -m http://10.112.69.40/metadata.zip -b ESX410-201205401-SG update

  Example, multiple patches:
  esxupdate -m http://10.112.69.40/metadata.zip -b ESX410-201205401-SG -b ESX410-201204402-SG update

  For information on using esxupdate, see the ESX 4.1 Patch Management Guide or the ESX 4 Patch Management Guide.

• You can use vihostupdate to install a patch on either an ESXi 4.x host or ESX 4.x host by executing the following command via vSphere CLI prompt.

  vihostupdate --server <server ip> --install -b <bundle zip> -B <bulletin id>

  Examples:
  vihostupdate --server 10.112.69.40 --install -b https://hostupdate.vmware.com/software/VUM/OFFLINE/release-332-20120419-828226/ESX410-201204001.zip -B ESX410-201204402-SG

vihostupdate --server 10.112.69.40 --install -b C:\Temp\ESX410-201204001.zip -B ESX410-201204402-SG

  For information on using vihostupdate on both ESX/ESXi 4.1 hosts and ESX/ESXi 4.0 hosts, see the vSphere Command-Line Interface Installation and Scripting Guide.

For usage information, read the "Patch Download and Installation" section of the Knowledge Base article for the bulletin.

Installing Patches on ESX 3.5 / ESXi 3.5 Hosts Using the Command Line

Use esxupdate or vihostupdate to install the patches you want. Your choice depends on whether you are working with ESX hosts or ESXi hosts.

• Use esxupdate to install a patch on an ESX 3.5 host by executing the following command.

  esxupdate -r <url bundle location of the> update

  Example:
  esxupdate -r http://ESXi-3.5.0-expresspatch02/ update

  For information on using esxupdate, see the ESX Server 3 Patch Management Guide.

• Use vihostupdate to install a patch on an ESXi 3.5 host by executing the following command via vSphere CLI prompt.

  vihostupdate --server <server ip> --install -b <bundle zip>

  For information on using vihostupdate on both ESXi 3.5 hosts, see the ESX Server 3i Configuration Guide.

For usage information, read the "Patch Download and Installation" section of the Knowledge Base article for the bulletin.

Additional Information

• 日本語: ESXi および ESX に対する VMware のセキュリティパッチ処理ガイドライン (2095593)
• 简体中文: VMware 安全修补指南（适用于 ESXi 和 ESX） (2102877)