Updating the vCenter server appliance using VAMI (vCenter Appliance Management Page)

Updating the vCenter from the VAMI (vCenter Appliance Management Page) is widely used option since most of the vCenter servers are connected to internet and has been the easiest way to update the vCenter server appliance in the recent times.

How to Patch the vCSA using VAMI?

In Order to patch the vCenter server appliance login to the vCenter Appliance management page, use your web browser and connect to “https://<vCSA IP Address or hostname>:5480” and log in as root. We’re accessing the appliance management and not the vCenter Server. Note the port number (5480), which is a specific port destined for management of the vCenter Server appliance.

Once you login you will see the VAMI homepage,

VAMI homepage

Perform the below four steps to update the vCenter:

  1. Click on Update
  2. Select Check CD-ROM+URL
  3. Select the latest patch in the list.
  4. Select Stage and Install.
Steps to update vCenter

Accept the Licence Agreement and click NEXT

Accept License Agreement

Check the box Join the VMware’s Customer Experience Improvement Program (CEIP) and click NEXT

VMware’s Customer Experience Improvement Program

Now confirm that you have backed up the vCenter server and it’s databases. (Offline or Memory snapshot of the vCenter will suffice) and Click FINISH

Please ignore the Estimated Downtime it will maximum take 15 -20 minutes to complete the entire update process.

Now the process Staging and the Installation of the patch will begin

Installation of Patch

Verify that the vCenter is updated from the Homepage,

By the above process we have successfully updated the vCenter.

Updating the vCenter server appliance using iso

The offline method of updating the vCenter server appliance is useful for the enviroments which does not have direct internet to avoid security risk. It’s very important that we may need to update or patch these environments.

How to download the patch iso?

We can download the patch from the VMware product patches page.

Once you reach the VMware product patches page, Select VC from the drop-down Menu VC -> Select the version of your vCenter 6.5, 6.7 or 7.0. Download the patch that is the latest in the list for the version of the vCenter that you are using.

Note: when downloading the iso make sure that the tag FP on the iso, when you want to patch the vCenter server. (Refer the image below)

Important: You only need the latest patch because the updates are cumulative, which contains all the patches.

After downloading the iso from the Product Patches page.

Now connect to your vSphere Client and upload this ISO to a data store which is accessible vCenter server appliance. Then select the vCenter server appliance VM and connect the ISO to the VM and select the option connected.

Lets login to the vCenter Appliance management page, use your web browser and connect to https://<vCSA IP Address or hostname>:5480 and log in as root. We’re accessing the appliance itself and not the vCenter Server. Note the port number (5480), which is a specific port destined for management of the vCenter Server appliance.

Click on the update menu and click Check Updates > Check CD‑ROM. Based on the FP iso attached, the update will show up, select Stage and Install

Once you Click the stage and install link, follow the assistant, which will guide you through the patch process.

You have to accept the end-user license agreement, then you might want to join the CEIP (customer experience improvement program). Click -> Next

In the next screen you must check a box saying “I have backed up vCenter and its associated databases.” and then click on Finish.

Once it’s complete the vCenter will be updated to the patch as per the iso attached.

Critical VMware VMSA-2021-0010 (PATCH YOUR vCENTER) – Critical

What is VMSA-2021-0010 vulnerability?

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

IMPORTANT:

The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.

Implementation Time: Immediate

These updates fix a critical security vulnerability, and it needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.” All environments are different, have different tolerance for risk, and have different security controls & defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.

Why you are affected by VMSA-2021-0010?

The VMSA outlines two issues that are resolved in this patch release. First, there is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.

Second, improvements were made to the vCenter Server plugin framework to better enforce plugin authentication. This affects some VMware plugins, and may also cause some third-party plugins to stop working. VMware partners have been notified and are working to test their plugins (most continue to work), but there may be a period after updating when a virtualization admin team may need to access backup, storage, or other systems through their respective management interfaces and not through the vSphere Client UI. If a third-party plugin in your environment is affected, please contact the vendor that supplied it for an update.

How to Protect your environment?

Don’t think twice patch your vCenter immedietly, this is the fastest way to resolve this problem, doesn’t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerability completely. From there you can update any plugins as vendors release new versions.

Steps to Patch your vCenter server:

There are three ways to patch the vCenter,

To know more about the vulnerability please refer the below links,

https://www.vmware.com/security/advisories/VMSA-2021-0010.html (Details about the issue and workaround).

https://via.vmw.com/vmsa-2021-0010-communities (Right place for your queries).

https://via.vmw.com/vmsa-2021-0010-blog (Official VMware Blog)