To provide guidance to upgrade NSX-V 6.4.13 appliances.

Affected Versions : 3.10.0, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1, 3.10.2.2 and 3.11.

This applies to both VCF on VxRail, and VCF (vSAN Ready Nodes).

Symptoms:
As documented in VMSA-2022-0005, all versions for VMware NSX Data Center for vSphere (NSX-V)  prior to NSX-V 6.4.13 appliances are affected by the vulnerabilities listed in the advisory.
Also the VMware Cloud Foundation(VCF) 3.x versions 3.10.0, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1, 3.10.2.2, 3.11 are similarly impacted by the vulnerabilities listed in the advisory.

VMware Cloud Foundation 3.10.1.1
VMware Cloud Foundation 3.11
VMware Cloud Foundation 3.10.2.1
VMware Cloud Foundation 3.10.1.2
VMware Cloud Foundation 3.10.2.0
VMware Cloud Foundation 3.10.0.0
VMware Cloud Foundation 3.10.2.2

As documented in VMSA-2022-0005 all the VMware Cloud Foundation 3.x versions  are affected by the vulnerabilities listed in the advisory.

VMware Cloud Foundation Versions	Upgrade Options
Prior to 3.10.0	Upgrade to 3.10.0 or later and apply the steps in the workaround section of this article.
3.10.x	Apply the steps in the Workaround section of this article.
3.11	Apply the steps in the Workaround section of this article.

Workaround:

NSX-V 6.4.13:

Step 1: Perform below steps on each VMware NSX-V instance deployed in your VMware Cloud Foundation environment 

1. Apply the NSX-v 6.4.13  patch available at the Product Patch page to all NSX-V instances (Management & VI Domain) in the environment.

STEP 2: Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment

1. Login to SDDC manager VM via SSH and sudo to root account

2. Verify the NSX-V version on the inventory 

root@sddc-manager [ /home/vcf ]# curl localhost/inventory/nsxmanagers | json_pp

"id" : "<<NSX-v ID>>",

"version" : "<<Current NSX-v Version>>",

"status" : "ACTIVE",

"hostName" : "nsxManager.vrack.vsphere.local",

"domainId" : "7d019faf-94fd-474c-9969-e4c4433c0ca2",

"managementIpAddress" : "10.0.0.9",

"vmName" : "nsxManager",

"vcenterId" : "72c116d5-b821-4b4b-84c7-8d0ac652b637"

Please note the following details

The field "id" in response, corresponds to <<NSX-V ID>>.
The "version" field for each of the NSX-v provides the <<Current NSX-v Version>>.

3. API to update NSX-v hot patch version: 6.4.13-19307994

root@sddc-manager [ /home/vcf ]# curl -X PATCH 'localhost/inventory/entities/<<NSX-v ID>>' -d '{"version":"6.4.13-19307994", "type":"NSXMANAGER"}' -H 'Content-Type:application/json'

4. Verify the NSX-V Version

root@sddc-manager [ /home/vcf ]# curl localhost/inventory/nsxmanagers | json_pp

[

{

"vmName" : "nsxManager",

"domainId" : "7d019faf-94fd-474c-9969-e4c4433c0ca2",

"status" : "ACTIVE",

"hostName" : "nsxManager.vrack.vsphere.local",

"id" : "<<NSX-v ID>>",

"version" : "6.4.13-19307994",

...

"managementIpAddress" : "10.0.0.9",

"vcenterId" : "72c116d5-b821-4b4b-84c7-8d0ac652b637"

}

]

5. Update version-alias using below API  to support this async upgrade for future VCF compatible upgrades.

NOTE: This step needs to be done only once per SDDC Manager instance

curl 'http://localhost/v1/system/settings/version-aliases/NSX_MANAGER/6.4.12-19066632 ' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "6.4.13-19307994" ], "forceUpdate" : true}'

Note:
Every time a new VI workload domain is created, these steps need to be performed.

Impact/Risks:

If the procedure documented below in the "Workaround" section is followed, the supported forward upgrade is upcoming VCF release which would include NSX-V 6.4.13.
Ensure you use latest skip level upgrade tool for VCF 3.x once available.