INSTALLING ESXi PATCHES FOR SPECTRE / MELTDOWN
I recently had to patch against Spectre and Meltdown Intel vulnerabilities on an ESXi 6.0 server and hadn’t patched an ESXi server for a while.
Normally I find it easier just to update to a newer version via ISO. However in this case I needed to update the backup production ESXi server so I didn’t have this luxury.
Firstly, download the correct patch zip file to match your OS version.
This is the vulnerability website for Spectre:
You will need to get the correct patches from the VMWare patch website. You will need a valid login to my.vmware.com but it is free to join.
In this case, ESXi600-201711101-SG
Click on the ESXi600-201711001 link and download.
Once downloaded, open the VI Client and select the main panel, right click on the datastore you want to upload the zip file to and “browse Datastore” to the right directory and upload.
Click on the up green arrow and upload file
Shutdown all the VMs – if you have installed VMWare Tools (which you should have done), You can access via the VI Client and shutdown using the “shut down guest”.
Once all the VMs are turned off, go into Maintenance mode –
Then SSH to the server – for details of how to set this up on ESXi see this article:
Navigate to the location where you saved the zip file – in our case ESXi600-201711001.zip, which was saved here:
Full path of the file – /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip
The normal command would be:
esxcli software vib update -d ESXi600-201711001.zip
This is comprised of vib which is the type of file you are using to update the software, then -d as a zip file – the vib is contained within it with many other vibs (-v for one specific .vib file)
However, for some reason, unless you put in the full path it gives you an error message.
If you copy the zip file to a local file system (/ for example) it fails.
Therefore run this:
esxcli software vib update -d /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip
However, this doesn’t work either. It gives this error:
VIB VMware_bootbank_esx-base_6.0.0-3.79.6921384 requires vsan >= 6.0.0-3.79, but the requirement cannot be satisfied within the ImageProfile.
VIB VMware_bootbank_esx-base_6.0.0-3.79.6921384 requires vsan << 6.0.0-3.80, but the requirement cannot be satisfied within the ImageProfile.
Please refer to the log file for more details.
In order to get around this you need to run this command to find out what type of image you have installed on the image.
esxcli software profile get
You will get something like this with a lot of installed VIBs installed – I have cut off before the end of the output as it is very long.
Vendor: VMware, Inc.
Creation Time: 2016-03-09T10:45:28
Modification Time: 2016-03-09T10:45:47
Stateless Ready: True
For more information, see http://kb.vmware.com/kb/2135120.
VIBs: ata-pata-amd 0.3.10-3vmw.600.0.0.2494585, ata-pata-atiixp 0.4.6-4vmw.600.0.0.2494585, ata-pata-cmd64x 0.2.5-3vmw.600.0.0.2494585, ata-pata-hpt3x2n 0.3.4-3vmw.600.0.0.2494585, ata-pata-pdc2027x 1.0-3vmw.600.0.0.2494585, ata-pata-serverworks 0.4.3-3vmw.600.0.0.2494585, ata-pata-sil680 0.4.8-3vmw.600.0.0.2494585, ata-pata-via 0.3.3-2vmw.600.0.0.2494585, block-cciss 3.6.14-10vmw.600.0.0.2494585, cpu-microcode 6.0.0-0.0.2494585, ehci-ehci-hcd 1.0-3vmw.600.1.26.3380124, elxnet 10.2.309.6v-1vmw.600.0.0.2494585, emulex-esx-elxnetcli 10.2.309.6v-0.0.2494585, esx-base 6.0.0-1.26.3380124, esx-dvfilter-generic-fastpath 6.0.0-0.0.2494585,
ESXi-6.0.0-20160104001-standard is the image name.
Now find out what images the updates patches with this command:
esxcli software sources profile list -d /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip
This is the output:
Name Vendor Acceptance Level
——————————– ———— —————-
ESXi-6.0.0-20171101001s-standard VMware, Inc. PartnerSupported
ESXi-6.0.0-20171101001s-no-tools VMware, Inc. PartnerSupported
ESXi-6.0.0-20171104001-no-tools VMware, Inc. PartnerSupported
ESXi-6.0.0-20171104001-standard VMware, Inc. PartnerSupported
Now you can run the proper upgrade with the right image – run this command:
esxcli software profile update -p ESXi-6.0.0-20171104001-standard -d /vmfs/volumes/abcderskfjfggjgjgg5h33n444/ESXi600-201711001.zip
This way ESXi knows which image to apply.
You should see:
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
With a bunch more text underneath. You can now reboot with your new patched OS>