VMware released a new vCenter Server version: 6.7 Update 3f, 6.7.0.43000, build 15976714. In this article I will cover the resolved issues and I will show how easy is to update from a previous version of vCenter Server 6.7 to VMware vCenter Server 6.7 Update 3f.
In case you are looking for a plain installation of vCenter Server 6.7, you can check my other article: How to Install VCSA 6.7 (VMware vCenter Server Appliance).
Resolved Issues
This release of vCenter Server 6.7 Update 3f delivers the following patch:
- Security Patch for VMware vCenter Server 6.7 Update 3f (VMware-vCenter-Server-Appliance-6.7.0.43000-15976714-patch-FP.iso)
VMware vCenter Server 6.7 Update 3f resolves a critical security issue documented in security advisory VMSA-2020-0006: vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), may not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.
vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by this vulnerability if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 instances are not affected. Also vCenter Server 6.5 and 7.0 are not affected.
The identifier CVE-2020-3952 was assigned to this vulnerability.
KB article 78543 documents steps to determine if a vCenter Server 6.7 instance is vulnerable. Affected deployments will create a log entry when the vmdir service starts stating that legacy ACL mode is enabled:
2020-04-06T17:50:41.860526+00:00 info vmdird t@139910871058176: ACL MODE: Legacy
Vmdir logs can be found in one of these default locations:
- Virtual Appliance Log File Location: /var/log/vmware/vmdird/vmdird-syslog.log
- Windows Log File Location: %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vmdird\vmdir.log
How to Update to vCenter Server 6.7 Update 3f
I will demonstrate an online update from vCenter Appliance Management console. I logged in to the appliance management console (https://<vCSA-FQDN>:5480/ – in my case that will be https://vcenter.cloudhat.local:5480/) using the root appliance password, then I navigated to Update menu. I can see my current version is 6.7.0.42300 and I have an available update to 6.7.0.43000 (which is vCenter Server 6.7 Update 3f). I will click on “Stage and install” link.
Next step is to accept the end user license agreement (EULA). Check the “I accept…” checkbox and click on “Next”.
Then you need to decide if you join VMware Customer Experience Improvement Program. Check or uncheck “Join the VMware’s Customer Experience Improvement Program (CEIP)” and click “Next”.
You can see now a downtime estimation. Confirm you have a backup of vCenter Server and click on “Finish”.
The wizard will pass through a series of updates while the vCenter Server is upgraded.
After some time we will be logged out from the appliance. Wait few minutes and then you can log back in.
Installation is now completed!
Going on the Summary page of the Appliance Management console, you can see the new version: 6.7.0.43000, build 1597614 (vCenter Server 6.7 Update 3f).
Hapy VM management 🙂