vSphere 6.5

Install VMware VCSA vCenter Appliance Photon OS Security Patches

As we have detailed on previous posts, VMware is committed to using Photon OS in just about all the appliances that are being deployed with various products now. The new vCenter Server appliance is a case in point to that.  Since Photon OS is a custom built OS from VMware, they can achieve a much more aggressive patch/support schedule.  VMware announced on September 22, 2017 that they are committed to monthly patches on the vSphere VCSA vCenter appliance.  This is a great change from a security perspective as historically, VCSA patches when running on SuSE were not released that often.  VMware has documented in their security response policy that patch releases will be based on the vulnerability severity.  Let’s take a look at how to install VMware VCSA vCenter appliance Photon OS security patches.

Current VCSA Security Patches

The following are patches that the first security update for VCSA 6.5 Update 1 from VMware contains:

Release Date Build Number Patch Name Affected Package New Package Versions CVEs Addressed
21 September 2017 6671409 6.5 U1a
(security fixes for PhotonOS)
Linux

Httpd

Pycrypto

Linux

Ncurses

4.4.77-1

2.24.27-1

2.7a1-3

4.4.79-1

6.0-5

CVE-2017-11473

CVE-2017-3167

CVE-2013-7459

CVE-2017-11176

CVE-2017-10684CVE-2017-10685

Install VMware VCSA Security Patches GUI

The method that most will be familiar with in patching a VCSA appliance is from the GUI interface.  We can get to the Update functionality by browsing out to the VAMI interface https://<your vcenter IP>:5480.  Choose the Update menu option.

VCSA-patch-login-to-VAMI
VCSA patch login to VAMI

Select the Update option.

VCSA-VAMI-GUI-patch-install
VCSA VAMI GUI patch install

Under the Check Updates menu, click the Check Repository option.  This will pull updates from the online VCSA update repository.

Check-online-repository-for-patches-updates
Check online repository for patches updates

As shown below, the 6.5.0.10100 Build Number 6671409 update is available.  We can choose to Install All Updates.

Choose-to-Install-All-Updates
Choose to Install All Updates

We will be presented with the EULA for the update.  Click the Accept button.

Accept-the-End-User-License-Agreement
Accept the End User License Agreement

You can choose whether or not you want to join the CEIP program by checking or unchecking the box.  Then click the Install button.

Configure-the-CEIP-options
Configure the CEIP options

The patches are staged for installation.

VCSA-patch-GUI-start-staging-patches
VCSA patch GUI start staging patches

The update process runs a few pre-install scripts.  You can select the Show Details button to reveal the specifics of the process.

Update-GUI-pre-install-scripts-running
Update GUI pre-install scripts running

The packages will begin updating after the pre-install scripts run.

Package-updates-start-on-VCSA-appliance
Package updates start on VCSA appliance

After the update is finished, you will see the message that a reboot is required to complete installation.

Security-patches-applied-successfully-reboot-pending
Security patches applied successfully reboot pending

If we go back to the Update menu, we will see the current build number is showing now, however, we still see the reboot directive.

Current-build-shown-reboot
Current build shown reboot

We can easily reboot from the VAMI interface, by going to the Summary tab and selecting the Reboot option.

VAMI-Summary-tab-select-reboot
VAMI Summary tab select reboot

Select Yes on the reboot the system directive.

Confirm-VCSA-reboot
Confirm VCSA reboot

Install VMware VCSA Security Patches Command Line

A very easy and powerful way to install patches to VMware VCSA appliance is by using the command line.  We can pull the updates directly from the VMware online repository as well.  We can find the URL for patching from the online repository by logging into the VCSA VAMI interface https://<your vcenter IP>:5480 and choosing Update >> Settings.  Under the Repository Settings you will see the URL for the online repository.  We can copy that and use it from the command line.

Get-the-Default-Repository-URL-for-updating
Get the Default Repository URL for updating

Login via SSH to your VCSA appliance.  Make sure your shell is set to the default appliance shell.  We will use the software-packages install –url command to stage and install the patches.  We use the URL we copied from the VAMI interface Update settings.

Pull-patches-from-the-online-default-patch-repository
Pull patches from the online default patch repository

We will see the EULA presented from the command line.  You can also use the following command to accept the EULAs automatically:

software-packages install --url  --acceptEulas
Accept-the-license-agreement
Accept the license agreement

After the EULA, we type out yes to the “Do you accept the terms and conditions?” question.

Type-yes-at-the-license-agreement
Type yes at the license agreement
VCSA-6.5-patches-are-applied-reboot-system
VCSA 6.5 patches are applied reboot system
Enter-the-shutdown-reboot-command-with-reason
Enter the shutdown reboot command with reason

After the reboot of the VCSA 6.5 appliance, we will have the latest patches/security patches installed.

Takeways

The new security posture from VMware regarding the Photon OS is a welcomed change for all wanting to stay current with security updates and patching known or zero day vulnerabilities.  The VMware Photon OS is a great platform that is allowing VMware to be more agile and aggressive with development and patching on all fronts.  With the new monthly updates, all can Install VMware VCSA vCenter Appliance Photon OS Security Patches and stay current with the platform.  As shown the updates can easily be applied using the VAMI GUI or by command line.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.