In the meantime the only workaround is to downgrade your hosts to ESXi 5.5 GA (without Update 1). But how do you do this without re-installing ESXi?
You cannot do this through Update Manager, but through esxcli as follows.
Enable SSH access on your host, log in to it (e.g. using putty) and run the following commands:
# open firewall for outgoing http requests: esxcli network firewall ruleset set -e true -r httpClient # Install the ESXi 5.5 pre-U1 Heartbleed Fix Image Profile from the VMware Online depot esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140401020s-standard --allow-downgrades # Reboot your host rebootThis will downgrade the host to the ESXi 5.5 GA version plus all security fixes that were released since then including the fix for the Heartbleed bug! If you are interested in a detailed overview of what package versions are included in each ESXi patch level then have a look at my ESXi VIB Matrix!
By the way: If you are not yet on ESXi 5.5 U1 and just want to apply the Heartbleed fix - but not U1 (because of the NFS bug) - then you can use the exact same commands (but may omit the --allow-downgrades option, because it is not needed then).
Another note: If you have 3rd-party VIBs installed then these will not be touched by this procedure. That means it is safe to use this method even if you have installed your hosts with the HP Customized installation ISO or have manually added other additional custom packages.
This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz.
Follow him on Twitter to keep up to date with what he posts.
Follow him on Twitter to keep up to date with what he posts.
Thanks very much for documenting and sharing this Andreas! Just used this to downgrade some systems in the work lab. Much appreciated :)
ReplyDeleteHi Andreas,
ReplyDeletei have the problem that I´m sitting behind a firewall which is not under my controll.
Is there a way to "Downgrade" with an offline Bundle?
I found no way to pass the firewall / proxy with my esxi Hosts and I think the offline bundle is the last chance for me to downgrade without reinstalling the hosts.
Hi Anonymous,
Deleteyes, download the patch bundle ESXi550-201404020 from http://www.vmware.com/go/downloadpatches, upload it to a datastore of your hosts.
Then use the same command, but replace the https://... URL with the full file path of the patch bundle.
Andreas
Is it possible to get a statement this patch ESXi-5.5.0-20140401020s-standard does not contain any performance enhancements from update 1. It only contains security fixes ?
DeleteDoes 1746974 contain any performance enhancements from update 1 or only the security patches?
DeleteHi Anonymous,
DeleteNo.
ESXi-5.5.0-20140401020s-standard (= Build 1746974) is the ESXi 5.5 GA code plus all security fixes, but it does not contain any non-security fixes/enhancements.
Andreas
what build number should I have after the downgrade? Is 1746974 U1 or GA?
ReplyDeleteYou should have build number 1746974. This is neither GA nor U1.
Delete1746974 is a higher build number than the build number of U1 (which is 1623387), but that is irrelevant, because the complete truth is only in the complete version string of the esxbase-VIB. And this is 5.5.0-1.15.1623387 for U1 and 5.5.0-0.15.1746974 for GA+Heartbleedfix.
For an instant reference please look at my ESXi 5.x Patch Matrix!
Or in other words: 1746974 = GA + Heartbleedfix
DeleteThanks a lot! I've got the correct one!
ReplyDeleteLooks like the issue has been addressed
ReplyDeletehttp://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2077360
Yes. See my post here: http://www.v-front.de/2014/06/new-esxi-55-patch-fixes-nfs-bug-and.html
Delete