Installing ESXi Patches via ESXCLI for Spectre / Meltdown

INSTALLING ESXi PATCHES FOR SPECTRE / MELTDOWN

Using ESXCLI

 

I recently had to patch against Spectre and Meltdown Intel vulnerabilities on an ESXi 6.0 server and hadn’t patched an ESXi server for a while.

Normally I find it easier just to update to a newer version via ISO. However in this case I needed to update the backup production ESXi server so I didn’t have this luxury.

Firstly, download the correct patch zip file to match your OS version.

This is the vulnerability website for Spectre: 

https://kb.vmware.com/s/article/2151126

You will need to get the correct patches from the VMWare patch website. You will need a valid login to my.vmware.com but it is free to join.

https://my.vmware.com/group/vmware/patch#search

In this case, ESXi600-201711101-SG

VMWare Patch Website

Click on the ESXi600-201711001 link and download.

Once downloaded, open the VI Client and select the main panel, right click on the datastore you want to upload the zip file to and “browse Datastore” to the right directory and upload.

VMWare browse

Click on the up green arrow and upload file

VMWare Upload

Shutdown all the VMs – if you have installed VMWare Tools (which you should have done), You can access via the VI Client and shutdown using the “shut down guest”.

ESXi VI Client Shutdown

Once all the VMs are turned off, go into Maintenance mode – 

VMWare maintenance mode

Then SSH to the server – for details of how to set this up on ESXi see this article:

https://kb.vmware.com/s/article/2004746

Navigate to the location where you saved the zip file – in our case ESXi600-201711001.zip, which was saved here:

/vmfs/volumes/abcderskfjfggjgjgg5h33n444/ 

Full path of the file – /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip

The normal command would be:

esxcli software vib update -d ESXi600-201711001.zip

This is comprised of vib which is the type of file you are using to update the software, then -d as a zip file – the vib is contained within it with many other vibs (-v for one specific .vib file)

However, for some reason, unless you put in the full path it gives you an error message.

If you copy the zip file to a local file system (/ for example) it fails.

Therefore run this:

esxcli software vib update -d /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip

However, this doesn’t work either. It gives this error:

 [DependencyError]

 VIB VMware_bootbank_esx-base_6.0.0-3.79.6921384 requires vsan >= 6.0.0-3.79, but the requirement cannot be satisfied within the ImageProfile.

 VIB VMware_bootbank_esx-base_6.0.0-3.79.6921384 requires vsan << 6.0.0-3.80, but the requirement cannot be satisfied within the ImageProfile.

 Please refer to the log file for more details.

In order to get around this you need to run this command to find out what type of image you have installed on the image.

Run this:

esxcli software profile get

You will get something like this with a lot of installed VIBs installed – I have cut off before the end of the output as it is very long.

ESXi-6.0.0-20160104001-standard

   Name: ESXi-6.0.0-20160104001-standard

   Vendor: VMware, Inc.

   Creation Time: 2016-03-09T10:45:28

   Modification Time: 2016-03-09T10:45:47

   Stateless Ready: True

   Description:

 

      For more information, see http://kb.vmware.com/kb/2135120.

 

   VIBs: ata-pata-amd 0.3.10-3vmw.600.0.0.2494585, ata-pata-atiixp 0.4.6-4vmw.600.0.0.2494585, ata-pata-cmd64x 0.2.5-3vmw.600.0.0.2494585, ata-pata-hpt3x2n 0.3.4-3vmw.600.0.0.2494585, ata-pata-pdc2027x 1.0-3vmw.600.0.0.2494585, ata-pata-serverworks 0.4.3-3vmw.600.0.0.2494585, ata-pata-sil680 0.4.8-3vmw.600.0.0.2494585, ata-pata-via 0.3.3-2vmw.600.0.0.2494585, block-cciss 3.6.14-10vmw.600.0.0.2494585, cpu-microcode 6.0.0-0.0.2494585, ehci-ehci-hcd 1.0-3vmw.600.1.26.3380124, elxnet 10.2.309.6v-1vmw.600.0.0.2494585, emulex-esx-elxnetcli 10.2.309.6v-0.0.2494585, esx-base 6.0.0-1.26.3380124, esx-dvfilter-generic-fastpath 6.0.0-0.0.2494585,

 

ESXi-6.0.0-20160104001-standard is the image name.

Now find out what images the updates patches with this command:

esxcli software sources profile list -d /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip

This is the output:

Name                              Vendor        Acceptance Level

——————————–  ————  —————-

ESXi-6.0.0-20171101001s-standard  VMware, Inc.  PartnerSupported

ESXi-6.0.0-20171101001s-no-tools  VMware, Inc.  PartnerSupported

ESXi-6.0.0-20171104001-no-tools   VMware, Inc.  PartnerSupported

ESXi-6.0.0-20171104001-standard   VMware, Inc.  PartnerSupported

Now you can run the proper upgrade with the right image – run this command:

esxcli software profile update -p ESXi-6.0.0-20171104001-standard -d  /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip

This way ESXi knows which image to apply.

You should see:

Update Result

   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.

   Reboot Required: true

 With a bunch more text underneath. You can now reboot with your new patched OS>

 

Related Articles:

http://www.virtubytes.com/2017/05/04/patch-esxi-using-esxcli-commands/

http://www.virtubytes.com/2018/01/05/spectre-vulnerability-patch-vmware-esxi/