VMware vCenter Server 6.7 Update 3f

VMware vCenter Server 6.7 Update 3f

VMware released a new vCenter Server version: 6.7 Update 3f, 6.7.0.43000, build 15976714. In this article I will cover the resolved issues and I will show how easy is to update from a previous version of vCenter Server 6.7 to VMware vCenter Server 6.7 Update 3f.

In case you are looking for a plain installation of vCenter Server 6.7, you can check my other article: How to Install VCSA 6.7 (VMware vCenter Server Appliance).

Resolved Issues

This release of vCenter Server 6.7 Update 3f delivers the following patch:

  • Security Patch for VMware vCenter Server 6.7 Update 3f (VMware-vCenter-Server-Appliance-6.7.0.43000-15976714-patch-FP.iso)

VMware vCenter Server 6.7 Update 3f resolves a critical security issue documented in security advisory VMSA-2020-0006: vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), may not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.

vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by this vulnerability if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 instances are not affected. Also vCenter Server 6.5 and 7.0 are not affected.

The identifier CVE-2020-3952 was assigned to this vulnerability.

KB article 78543 documents steps to determine if a vCenter Server 6.7 instance is vulnerable. Affected deployments will create a log entry when the vmdir service starts stating that legacy ACL mode is enabled:

2020-04-06T17:50:41.860526+00:00 info vmdird  [email protected]: ACL MODE: Legacy

Vmdir logs can be found in one of these default locations:

  • Virtual Appliance Log File Location: /var/log/vmware/vmdird/vmdird-syslog.log
  • Windows Log File Location: %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vmdird\vmdir.log

How to Update to vCenter Server 6.7 Update 3f

I will demonstrate an online update from vCenter Appliance Management console. I logged in to the appliance management console (https://<vCSA-FQDN>:5480/ – in my case that will be https://vcenter.cloudhat.local:5480/) using the root appliance password, then I navigated to Update menu. I can see my current version is 6.7.0.42300 and I have an available update to 6.7.0.43000 (which is vCenter Server 6.7 Update 3f). I will click on “Stage and install” link.

VMware vCenter Server 6.7 Update 3f - Check Update Availability

Next step is to accept the end user license agreement (EULA). Check the “I accept…” checkbox and click on “Next”.

VMware vCenter Server 6.7 Update 3f - End User License Agreement

Then you need to decide if you join VMware Customer Experience Improvement Program. Check or uncheck “Join the VMware’s Customer Experience Improvement Program (CEIP)” and click “Next”.

VMware vCenter Server 6.7 Update 3f - Join CEIP

You can see now a downtime estimation. Confirm you have a backup of vCenter Server and click on “Finish”.

VMware vCenter Server 6.7 Update 3f - Backup Server

The wizard will pass through a series of updates while the vCenter Server is upgraded.

VMware vCenter Server 6.7 Update 3f - Installation in Progress
VMware vCenter Server 6.7 Update 3f - Stopping Services
VMware vCenter Server 6.7 Update 3f- Installing Packages

After some time we will be logged out from the appliance. Wait few minutes and then you can log back in.

VMware vCenter Server 6.7 Update 3f - Appliance Management Login

Installation is now completed!

VMware vCenter Server 6.7 Update 3f - Installation Completed

Going on the Summary page of the Appliance Management console, you can see the new version: 6.7.0.43000, build 1597614 (vCenter Server 6.7 Update 3f).

VMware vCenter Server 6.7 Update 3f - Status

Hapy VM management 🙂

Constantin Ghioc

I usually play with vRealize Automation, vRealize Orchestrator and different AWS tools. In my other life, I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply