Install VMware VCSA vCenter Appliance Photon OS Security Patches

0
As we have detailed on previous posts, VMware is committed to using Photon OS in just about all the appliances that are being deployed with various products now. The new vCenter Server appliance is a case in point to that.  Since Photon OS is a custom built OS from VMware, they can achieve a much more aggressive patch/support schedule.  VMware announced on September 22, 2017 that they are committed to monthly patches on the vSphere VCSA vCenter appliance.  This is a great change from a security perspective as historically, VCSA patches when running on SuSE were not released that often.  VMware has documented in their security response policy that patch releases will be based on the vulnerability severity.  Let’s take a look at how to install VMware VCSA vCenter appliance Photon OS security patches.

Current VCSA Security Patches

The following are patches that the first security update for VCSA 6.5 Update 1 from VMware contains:

Release Date Build Number Patch Name Affected Package New Package Versions CVEs Addressed
21 September 2017 6671409 6.5 U1a
(security fixes for PhotonOS)
Linux

Httpd

Pycrypto

Linux

Ncurses

4.4.77-1

2.24.27-1

2.7a1-3

4.4.79-1

6.0-5

CVE-2017-11473

CVE-2017-3167

CVE-2013-7459

CVE-2017-11176

CVE-2017-10684CVE-2017-10685

Install VMware VCSA Security Patches GUI

The method that most will be familiar with in patching a VCSA appliance is from the GUI interface.  We can get to the Update functionality by browsing out to the VAMI interface https://<your vcenter IP>:5480.  Choose the Update menu option.

VCSA-patch-login-to-VAMI Install VMware VCSA vCenter Appliance Photon OS Security Patches

VCSA patch login to VAMI

Select the Update option.

VCSA-VAMI-GUI-patch-install Install VMware VCSA vCenter Appliance Photon OS Security Patches

VCSA VAMI GUI patch install

Under the Check Updates menu, click the Check Repository option.  This will pull updates from the online VCSA update repository.

Check-online-repository-for-patches-updates Install VMware VCSA vCenter Appliance Photon OS Security Patches

Check online repository for patches updates

As shown below, the 6.5.0.10100 Build Number 6671409 update is available.  We can choose to Install All Updates.

Choose-to-Install-All-Updates Install VMware VCSA vCenter Appliance Photon OS Security Patches

Choose to Install All Updates

We will be presented with the EULA for the update.  Click the Accept button.

Accept-the-End-User-License-Agreement Install VMware VCSA vCenter Appliance Photon OS Security Patches

Accept the End User License Agreement

You can choose whether or not you want to join the CEIP program by checking or unchecking the box.  Then click the Install button.

Configure-the-CEIP-options Install VMware VCSA vCenter Appliance Photon OS Security Patches

Configure the CEIP options

The patches are staged for installation.

VCSA-patch-GUI-start-staging-patches Install VMware VCSA vCenter Appliance Photon OS Security Patches

VCSA patch GUI start staging patches

The update process runs a few pre-install scripts.  You can select the Show Details button to reveal the specifics of the process.

Update-GUI-pre-install-scripts-running Install VMware VCSA vCenter Appliance Photon OS Security Patches

Update GUI pre-install scripts running

The packages will begin updating after the pre-install scripts run.

Package-updates-start-on-VCSA-appliance Install VMware VCSA vCenter Appliance Photon OS Security Patches

Package updates start on VCSA appliance

After the update is finished, you will see the message that a reboot is required to complete installation.

Security-patches-applied-successfully-reboot-pending Install VMware VCSA vCenter Appliance Photon OS Security Patches

Security patches applied successfully reboot pending

If we go back to the Update menu, we will see the current build number is showing now, however, we still see the reboot directive.

Current-build-shown-reboot Install VMware VCSA vCenter Appliance Photon OS Security Patches

Current build shown reboot

We can easily reboot from the VAMI interface, by going to the Summary tab and selecting the Reboot option.

VAMI-Summary-tab-select-reboot Install VMware VCSA vCenter Appliance Photon OS Security Patches

VAMI Summary tab select reboot

Select Yes on the reboot the system directive.

Confirm-VCSA-reboot Install VMware VCSA vCenter Appliance Photon OS Security Patches

Confirm VCSA reboot

Install VMware VCSA Security Patches Command Line

A very easy and powerful way to install patches to VMware VCSA appliance is by using the command line.  We can pull the updates directly from the VMware online repository as well.  We can find the URL for patching from the online repository by logging into the VCSA VAMI interface https://<your vcenter IP>:5480 and choosing Update >> Settings.  Under the Repository Settings you will see the URL for the online repository.  We can copy that and use it from the command line.

Get-the-Default-Repository-URL-for-updating Install VMware VCSA vCenter Appliance Photon OS Security Patches

Get the Default Repository URL for updating

Login via SSH to your VCSA appliance.  Make sure your shell is set to the default appliance shell.  We will use the software-packages install –url command to stage and install the patches.  We use the URL we copied from the VAMI interface Update settings.

Pull-patches-from-the-online-default-patch-repository Install VMware VCSA vCenter Appliance Photon OS Security Patches

Pull patches from the online default patch repository

We will see the EULA presented from the command line.  You can also use the following command to accept the EULAs automatically:

Accept-the-license-agreement Install VMware VCSA vCenter Appliance Photon OS Security Patches

Accept the license agreement

After the EULA, we type out yes to the “Do you accept the terms and conditions?” question.

Type-yes-at-the-license-agreement Install VMware VCSA vCenter Appliance Photon OS Security Patches

Type yes at the license agreement

VCSA-6.5-patches-are-applied-reboot-system Install VMware VCSA vCenter Appliance Photon OS Security Patches

VCSA 6.5 patches are applied reboot system

Enter-the-shutdown-reboot-command-with-reason Install VMware VCSA vCenter Appliance Photon OS Security Patches

Enter the shutdown reboot command with reason

After the reboot of the VCSA 6.5 appliance, we will have the latest patches/security patches installed.

Takeways

The new security posture from VMware regarding the Photon OS is a welcomed change for all wanting to stay current with security updates and patching known or zero day vulnerabilities.  The VMware Photon OS is a great platform that is allowing VMware to be more agile and aggressive with development and patching on all fronts.  With the new monthly updates, all can Install VMware VCSA vCenter Appliance Photon OS Security Patches and stay current with the platform.  As shown the updates can easily be applied using the VAMI GUI or by command line.