VMware has released vSphere 7 Update 3c (VCSA 7.0U3c & ESXi 7.0U3c), includes Log4j related updates

Posted by Paul Braren on Jan 28 2022 (updated on Jan 31 2022) in
  • ESXi
  • Virtualization
  • VMUGAdvantage
  • vSphere7
  • downloadvsphere7u3

    (screenshot above is of VMware's announcement)

    See also closely related article:

    VMware had to recall all vSphere 7.0 Update 3 releases back on November 19 2021, which I explained in all sorts of detail here. Today I bring much better, long-awaited news that's hot of the press from late yesterday, already lab tested by lunchtime today. I'm happy to leave those not-so-grand memories in my virtual rear view mirror, how about you? I should add that running the 7.0 Update 3b VCSA & ESXi these past few months was mostly uneventful, this wasn't a big deal for early-adopter home labs. It's worth waiting patiently for proper QA testing, and it's good that VMware was clear in quickly reassuring us there was no need to roll-back unless we had issues. Communications were pretty clear through-out actually, with assurance from VMware that early adopters were fully supported all the way, every day.

    Partial screenshot of VMware KB 2143832 on Jan 28 2022, click/tap to view the full article.

    VMware posted the great news late on Jan 27 2022:


    Let me provide this excerpt from the vCenter Server 7 Update 3c Release Notes:

    Security Issues

    • vCenter Server 7.0 Update 3c delivers the following security updates:

      • The Spring package in the vSphere Client is updated to version 5.2.4.
      • Apache Struts is updated to version
    • vCenter Server 7.0 Update 3c updates Apache httpd to address CVE-2021-40438. VMware would like to thank Saeed Kamranfar of Sotoon Security for alerting on this issue.

    • Apache log4j is updated to version 2.17 to resolve CVE-2021-44228 and CVE-2021-45046. For more information on these vulnerabilities and their impact on VMware products, please see VMSA-2021-0028.

    Seems Intel i40en driver (for Intel X710) issue should be behind folks that were affected under 7.0U3b, in my lab, that's not a NIC I have. Generally your best method for ESXi updates is still using vSphere Client upgrade including the baked-iin upgrade precheck. For my unique needs on my one host cluster, I wound up going with ESXCLI so I could get video of the process and update my ESXCLI article.

    When you're done, you'll be on:

    • VCSA 7.0.3 7.0U3c (7 Update 3c) Build 19234570 (VAMI calls it
    • ESXi 7.0.3 7.0U3c (7 Update 3c) Build 19193900


    1. The online repo for VAM updates of VCSA because available about a day after the downloads were available, as reported by @lamw at around 2:30pm eastern time, this meant a more painful and possibly problematic VCSA upgrade via ISO mounting was the only way to upgrade without waiting. My ISO mounting attempt didn't work out for me for mysterious reasons, so I just ended up rebuilding my VCSA 7.0U3c from scratch.
    2. Opening up the downloaded 9GB VMware-VCSA-all-7.0.3-19234570.iso file from VMware takes over a minute in Windows 11 as it does its safety check, even on a fast machine with NVMe storage. This leaves you wondering if something crashed, something you'll hopefully get to hear in my install video that I'll try to get published soon. You should probably get used to this new, presumably safer ISO opening behavior since it's happening with the latest Windows 11 21H2 build.
    3. Sadly, inability to mount SMB share for automatic daily VCSA backups is still not fixed in VCSA 7.0 Update 3c, see also related twitter thread and even though KB 86069 says "This issue is resolved in vCenter Server 7.0 Update 3c." I am having a new issue, "BackupManager encountered an exception. See logs for details."
      CPU Exhaustion on vcsa. "Skyline Health has detected issues in your vSphere environment"
    4. I'm getting occasional "CPU Exhaustion on vcsa" warnings in vSphere Client if I log in shortly after reboot.
    5. I'm sometimes getting low memory warnings. "Appliance is running low on memory.
      Add more memory to the machine." I did choose "Tiny" size when deploying VCSA from scratch on 1/28/2022, and I only have a couple of dozen VMs, so I'm not sure why this would be the case. This was occasionally an issue with prior 7.x releases too.
      "Could not executive Online health checks.
    6. I'm always getting "Skyline Health has detected issues in your vSphere environment" warnings, but that has been true of all vSphere 7 releases, related to side-channel mitigation that is typically not a big concern in home labs.
    7. I'm also seeing an error with Online health checks execution, "Could not executive Online health checks."
    8. The ability to change session.timeout = 0 in your
      file on your VCSA seems to no longer be effective. You will still be logged off after the default 120 minutes, but it can be changed to any value between 1 and 1440 minutes (24 hours/1 day) in the vSphere Client UI under Administration / Deployment / Client Configuration. The value of 0 worked as recently as 7.0 Update 2, described in Mark Ukotic's excellent article Session Timeout Now In The vSphere Client UI (vSphere 7 Update 2) at blog.ukotic.net, and the original method in my 2015 article. I also noticed VAMI was happy to stay open longer than 2 hours, but not vSphere Client. I have SSH'd in, changed the value to 9999, then rebooted VCSA and logged back in and waited 36 hours. It didn't work, I'm still logged off.

    You can follow me on Twitter, subscribe to my RSS feed for TinkerTry Articles about Virtualization, subscribe to my TinkerTry YouTube Channel then peruse the Virtualization Video library, and/or subscribe to my TinkerTry Weekly newsletter to be notified of updates automatically.



    See also at TinkerTry