This document is created to provide steps to consume VMware ESXi 6.7, Patch Release ESXi670-202207001 asynchronously on VMware Cloud Foundation (VCF) 3.10.x and 3.11.x releases.

Note:

1. This document is applicable for VSAN Ready Nodes only and should not be applied on VCF on VxRail.

2. This document is for the application of  VMware ESXi 6.7, Patch Release ESXi670-202207001, all examples given below explains the steps for VMware ESXi 6.7, Patch Release ESXi670-202207001 (6.7.0-19997733) consumption on top of VCF 3.10.x and 3.11.x and should not be used to apply any other patch.

• Steps to apply ESXi hot patch

The patch can be applied on ESXi hosts using VMware Update Manager (VUM) from vCenter.
VMware ESXi 6.7, Patch Release ESXi670-202207001

The following documentation provides guidelines for updating ESXi hosts using VMware Update Manager: About the Update Manager Process

Proceed to the next section only after all hosts required to be patched are updated.

• Steps to update VCF inventory

1. To update inventory, first capture the host id of each host on which patch was applied and version of ESXi patch used for update. To get host details from VCF inventory, login to SDDC Manager via SSH and run following command.

curl localhost/inventory/hosts | json_pp
Note: This returns list of all hosts. The field "id" in each host entry, corresponds to host id.

2. From the output, ensure to also note the version for each of the hosts.
3. Update the VCF inventory for each host on which patch was applied using following command:

curl -X PATCH 'localhost/inventory/entities/<HOST_ID>' -d '{"version":"<ESXI_PATCH_VERSION>", "type":"ESXI"}' -H 'Content-Type:application/json'

<HOST_ID>  Id of host for which version is to be updated in VCF inventory
<ESXI_PATCH_VERSION>  Version of ESXi patch that was applied on hosts

Example:
<HOST_ID> - 65f5f921-768b-4043-8d4e-31b654c7fde4
<ESXI_PATCH_VERSION> - 6.7.0-19997733
curl -X PATCH 'localhost/inventory/entities/65f5f921-768b-4043-8d4e-31b654c7fde4' -d '{"version":"6.7.0-19997733", "type":"ESXI"}' -H 'Content-Type:application/json'

• Update Version Alias configuration (one time activity per SDDC manager instance)

To update the version aliases execute the below command.
curl -k 'http://localhost/v1/system/settings/version-aliases/ESX_HOST/<Base version of ESXI host>' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "<Applied ESXI hot patch version>" ], "forceUpdate" : true}'

<Base version of ESXI host> ESXI host version of latest release on which hot patch was installed.
<Applied ESXI hot patch version> The ESXI host version after successfully applying the hot patch.

Example:
<Base version of ESXI host> - 6.7.0-19195723
<Applied ESXI hot patch version> - 6.7.0-19997733
curl -k 'http://localhost/v1/system/settings/version-aliases/ESX_HOST/6.7.0-19195723' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "6.7.0-19997733" ], "forceUpdate" : true}'

ESXi670-202207001 is a cumulative patch and also includes the fixes for security vulnerabilities ( CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166) disclosed in VMSA-2022-0016

After applying patches, the "forceHyperthreadingMitigation" advanced setting must be enabled in ESXi to mitigate CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166. Please refer to KB 88632 for details.