New Security Patch – vCenter Server 6.5 U1f

VMware released today a new security patch, vCenter Server 6.5 U1f, build number 7801515. This release patches the vCSA operating system (Photon OS) mainly against two vulnerabilities: bounds-check bypass (Spectre-1, CVE-2017-5753) and rogue data cache load issues (Meltdown, CVE-2017-5754). As of now, there is still no patch for branch target injection vulnerability (Spectre-2, CVE-2017-5715).

The new patch can already be downloaded from My VMware portal (VMware-VCSA-all-6.5.0-7801515.iso, 3607.6 MB), but it’s not yet available on the online repository for update using management GUI or CLI. Update 16 February 2018: the patch is available on the online repository, see below for details.

Updated packages:

  • linux 4.4.110-2
  • libgcrypt 1.7.6-3
  • c-ares 1.12.0-2
  • ncurses 6.0-8
  • libtasn1 4.12-1
  • wget 1.18-3
  • procmail 3.22-4
  • rsync 3.1.2-4
  • apr 1.5.2-7

VMware also updated today the security advisory dealing with all of its virtual appliances updates for Spectre and Meltdown vulnerabilities, VMSA-2018-0007. So far, the only patches available are for vCenter Server Appliance (the present vCenter Server 6.5 U1f) and for vSphere Integrated Containers (version 1.3.1).

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Update 16 February 2018 – Update To vCenter Server 6.5 U1f

Connect to the appliance management interface (port 5480) and check for available updates. In my case, you can see I’m running build number 7515524 (vCenter Server 6.5 U1e) and a new version is available.

vCenter Server 6.5 U1f - Update
vCenter Server 6.5 U1f – Update

Click “Install Updates”, then click “Install All Updates”. Accept End User License Agreement. Decide if you want to join Customer Experience Improvement Program and click “Install”. The installation begins:

vCenter Server 6.5 U1f - Installing Updates
vCenter Server 6.5 U1f – Installing Updates

After some time, the update will complete. Click OK to close the wizard and restart the appliance.

vCenter Server 6.5 U1f - Update Completed
vCenter Server 6.5 U1f – Update Completed

After reboot, I can see the new version listed: build number 7801515.

vCenter Server 6.5 U1f
vCenter Server 6.5 U1f

If you want to follow step by step instructions for updating vCenter Server using the GUI interface, you can read How to Update vCenter Server Appliance to 6.5 Update 1b. If you would rather use CLI to update vCSA, read How to Update vCenter Server Appliance to 6.5 Update 1d.

Happy patching 🙂

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply