VMware released today a new security patch, vCenter Server 6.5 U1f, build number 7801515. This release patches the vCSA operating system (Photon OS) mainly against two vulnerabilities: bounds-check bypass (Spectre-1, CVE-2017-5753) and rogue data cache load issues (Meltdown, CVE-2017-5754). As of now, there is still no patch for branch target injection vulnerability (Spectre-2, CVE-2017-5715).
The new patch can already be downloaded from My VMware portal (VMware-VCSA-all-6.5.0-7801515.iso, 3607.6 MB)
, but it’s not yet available on the online repository for update using management GUI or CLI. Update 16 February 2018: the patch is available on the online repository, see below for details.
- linux 4.4.110-2
- libgcrypt 1.7.6-3
- c-ares 1.12.0-2
- ncurses 6.0-8
- libtasn1 4.12-1
- wget 1.18-3
- procmail 3.22-4
- rsync 3.1.2-4
- apr 1.5.2-7
VMware also updated today the security advisory dealing with all of its virtual appliances updates for Spectre and Meltdown vulnerabilities, VMSA-2018-0007. So far, the only patches available are for vCenter Server Appliance (the present vCenter Server 6.5 U1f) and for vSphere Integrated Containers (version 1.3.1).
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.
Update 16 February 2018 – Update To vCenter Server 6.5 U1f
Connect to the appliance management interface (port 5480) and check for available updates. In my case, you can see I’m running 188.8.131.5200 build number 7515524 (vCenter Server 6.5 U1e) and a new version is available.
Click “Install Updates”, then click “Install All Updates”. Accept End User License Agreement. Decide if you want to join Customer Experience Improvement Program and click “Install”. The installation begins:
After some time, the update will complete. Click OK to close the wizard and restart the appliance.
After reboot, I can see the new version listed: 184.108.40.20600 build number 7801515.
If you want to follow step by step instructions for updating vCenter Server using the GUI interface, you can read How to Update vCenter Server Appliance to 6.5 Update 1b. If you would rather use CLI to update vCSA, read How to Update vCenter Server Appliance to 6.5 Update 1d.
Happy patching 🙂