The recommendation to customers on these prior VCF 3.x versions, is to upgrade to the latest VCF 3.10.2.2 release.
If customers are unable to do so, the purpose of this article is to provide guidance for such customers to upgrade just vCenter Server appliance
Affected Versions :3.9.0, 3.9.1, 3.10.0, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1
The information contained in this article also applies to VCF on VXRail environments, and also to vSAN Ready Nodes
As documented in VMSA-2021-0020 , all versions of the vCenter Server 6.7 appliance are prior to 6.7U3o are affected by the vulnerabilities listed in the advisory
Since the VMware Cloud Foundation(VCF) 3.x versions, prior to VCF 3.10.2.2, bundle impacted releases of vCenter Server, the VCF versions 3.9.0, 3.9.1, 3.10.0, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1 are similarly impacted by the vulnerabilities listed in the advisory
All of the documented security issues are resolved in VMware vCenter Server 6.7U3o.
VMware Cloud Foundation Version | Upgrade Options If Upgrading to 3.10.2.2 Is Not Possible |
3.9.0 or earlier | Upgrade to 3.9.0 or later and follow the respective recommended approach below |
3.9.x | Apply the steps in the Workaround section of this article |
3.10.0 | Apply the steps in the Workaround section of this article |
3.10.1.x | Apply the steps in the Workaround section of this article |
3.10.2 | Upgrade to 3.10.2.2 as documented in the Release Notes |
3.10.2.1 | Upgrade to 3.10.2.2 as documented in the Release Notes |
Step 1: Perform below steps on each VMware vCenter Server VM and each External PSC deployed in your VMware Cloud Foundation environment
1) Powered off snapshots should be taken of all PSC's and VC's in the SSO domain prior to patching.
2) Apply the VMware vCenter server 6.7 Update 3o patch available at the Product Patch page to all external PSCs and vCenter Servers (Management & VI Domain) in the environment.
STEP 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
1) Login to SDDC manager VM via SSH and sudo to root account
2) Get PSC/VC ID from VCF inventory:
To get vCenter/PSC details from VCF inventory run following command/Curl/API:
For vCenter Server
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 353 0 353 0 0 35300 0 --:--:-- --:--:-- --:--:-- 3530
[
{
"hostName" : "vcenter-1.vrack.vsphere.local",
"vmName" : "vcenter-1",
"id" : "<vCenter_Id>",
"version" : "<current version>",
"datastoreForVmDeploymentName" : "sfo01-m01-vsan",
"domainType" : "MANAGEMENT",
"status" : "ACTIVE",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domainId" : "68ae2add-db28-4671-9a92-f2a5b3dcaab1",
"managementIpAddress" : "10.0.0.6"
}
]
For PSC
$ curl localhost/inventory/pscs | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 756 0 756 0 0 84000 0 --:--:-- --:--:-- --:--:-- 84000
[
{"domain" : "vsphere.local",
"bundleRepoDatastore" : "lcm-bundle-repo",
"status" : "ACTIVE",
"vmName" : "psc-2",
"hostName" : "psc-2.vrack.vsphere.local",
"id" : "<psc_Id>",
"replica" : true,
"version" : "<current version>",
"datastoreName" : "sfo01-m01-vsan",
"domainId" : "68ae2add-db28-4671-9a92-f2a5b3dcaab1",
"managementIpAddress" : "10.0.0.7",
"subDomain" : "vrack.vsphere.local"
},
{
"managementIpAddress" : "10.0.0.5",
"subDomain" : "vrack.vsphere.local",
"hostName" : "psc-1.vrack.vsphere.local",
"id" : "<psc_Id>",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domain" : "vsphere.local",
"status" : "ACTIVE",
"vmName" : "psc-1",
"datastoreName" : "sfo01-m01-vsan",
"version" : "<current version>",
"replica" : false,
"domainId" : "68ae2add-db28-4671-9a92-f2a5b3dcaab1"
}
]
The field "id" in response, corresponds to vCenter/PSC id.
The "version" field for each of the vCenter/PSC provides the current version of the vCenter/PSC.
3) Update VCF inventory for vCenter Servers and PSCs
Note: Repeat below commands for all the vCenter Severs with their corresponding vcenter-id that were upgraded.
<SDDC_Manager_FQDN > = Fully qualified domain name of SDDC manager.
<vCenter_Id> = Id of VCENTER for which version is to be updated in VCF inventory
<psc_Id> = Id of PSC for which version is to be updated in VCF inventory
The build number of 6.7U3o is 18485166 so this is the version that needs to be inserted into the file i.e. 6.7.0-18485166
For vCenter Server
$ curl -X PATCH '<SDDC_Manager_FQDN >/inventory/entities/<vCenter_Id>' -d '{"version":"6.7.0-18485166", "type":"VCENTER"}' -H 'Content-Type:application/json'
For PSCs
$ curl -X PATCH '<SDDC_Manager_FQDN >/inventory/entities/<psc_Id>' -d '{"version":"6.7.0-18485166", "type":"PSC"}' -H 'Content-Type:application/json'
4) Verify vCenter Server and PSC versions
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 353 0 353 0 0 35300 0 --:--:-- --:--:-- --:--:-- 35300
[
{
"hostName" : "vcenter-1.vrack.vsphere.local",
"vmName" : "vcenter-1",
"id" : "<vCenter_Id>",
"version" : "6.7.0-18485166",
"datastoreForVmDeploymentName" : "sfo01-m01-vsan",
"domainType" : "MANAGEMENT",
"status" : "ACTIVE",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domainId" : "68ae2add-db28-4671-9a92-f2a5b3dcaab1",
"managementIpAddress" : "10.0.0.6"
}
]
$ curl localhost/inventory/pscs | json_pp
Sample Output: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 756 0 756 0 0 47250 0 --:--:-- --:--:-- --:--:-- 47250
[
{
"hostName" : "psc-2.vrack.vsphere.local",
"subDomain" : "vrack.vsphere.local",
"domain" : "vsphere.local",
"id" : "<psc_Id>",
"vmName" : "psc-2",
"version" : "6.7.0-18485166",
"datastoreName" : "sfo01-m01-vsan",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domainId" : "68ae2add-db28-4671-9a92-f2a5b3dcaab1",
"status" : "ACTIVE",
"managementIpAddress" : "10.0.0.7",
"replica" : true
},
{
"bundleRepoDatastore" : "lcm-bundle-repo",
"id" : "<psc_Id>",
"hostName" : "psc-1.vrack.vsphere.local",
"subDomain" : "vrack.vsphere.local",
"domain" : "vsphere.local",
"datastoreName" : "sfo01-m01-vsan",
"version" : "6.7.0-18485166",
"vmName" : "psc-1",
"managementIpAddress" : "10.0.0.5",
"replica" : false,
"domainId" : "68ae2add-db28-4671-9a92-f2a5b3dcaab1",
"status" : "ACTIVE"
}
]
5) Go to SDDCManager UI to verify the VC/PSC version after few mins
Note:
Repeat STEP 1, and STEP 2 for all workload domain vCenters in your Cloud Foundation environment.
Every time a new VI workload domain is created, these steps need to be performed.