How to easily update your VMware vCenter Server Appliance from 6.5.x to 6.5 Update 1g (VCSA 6.5 U1g) with Spectre mitigation
As covered earlier at TinkerTry, patching for the branch target injection vulnerability known as Spectre-2 requires you to patch your:
- VCSA/vCenter (this article)
- ESXi server(s)
- Each VM operating system
- Each server(s) BIOS/firmware
This article is an update to my recent article that has the full VCSA upgrade procedure with screenshots, step-by-step:
You'll want to read the following Release Notes in full before getting started:
- VMware vCenter Server 6.5 Update 1g Release Notes
vCenter Server 6.5 Update 1g | 20 MAR 2018 | ISO Build 8024368
...What's New
vCenter Server 6.5 Update 1g addresses issues that have been documented in the Resolved Issues section and Photon OS security vulnerabilities. For more information, see VMware vCenter Server Appliance Photon OS Security Patches.Patches Contained in This Release
vCenter Server 6.5 Update 1g delivers the following patch. See the VMware Patch Download Center for more information on downloading patches.- VMware-vCenter-Server-Appliance-6.5.0.15000-8024368-patch-FP.iso
...
- VMware-vCenter-Server-Appliance-6.5.0.15000-8024368-patch-FP.iso
Once you've finished the upgrade, your VAMI UI will show you're at 6.5.0.15000 Build Number 8024368.
Video
Mar 24 2018 Update
Title change, from:
How to easily update your VMware vCenter Server Appliance from 6.5.x to 6.5 Update 1g (VCSA 6.5 U1g) for hypervisor-assisted guest mitigation of CVE-2017-5715
to
How to easily update your VMware vCenter Server Appliance from 6.5.x to 6.5 Update 1g (VCSA 6.5 U1g) with Spectre mitigation
See also at TinkerTry
- vSphere 6.5 Core Storage white paper - one home virtualization lab enthusiast's perspective
Dec 07 2016
See also
- My vSphere 6.5 Upgrade Checklist – painful
Jan 29 2017 by Michael White at Notes from MWhite
Hypervisor-Assisted Guest Remediation
- VMSA-2018-0004.3
VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue
Jan 09 2018 at VMware Security Advisories, updated Mar 03 2018...
1. Summary
VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue.The mitigations in this advisory are categorized as Hypervisor-Assisted Guest Mitigations described by VMware Knowledge Base article 52245.
2. Relevant Products
VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)3. Problem Description
New speculative-execution control mechanism for Virtual MachinesUpdates of vCenter Server, ESXi, Workstation and Fusion virtualize the new speculative-execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (Guest OS) can remediate the Branch Target Injection issue (CVE-2017-5715). This issue may allow for information disclosure between processes within the VM.
...
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
Here's the 2 patches for VCSA and ESXi 6.5 that the table above points to, hyperlinked for you:
- VCSA 6.5 U1g available here, and Release Notes.
Name: VMware-VCSA-all-6.5.0-8024368.iso Release Date: 2018-03-20 Build Number: 8024368
- ESXi 6.5: ESXi650-201803401-BG KB52460 and ESXi650-201803402-BG KB52461 are both seen here, with ESXi Build Number 7967591 KB52456.