New ESXi 5.5 patch fixes NFS bug and another serious OpenSSL bug!


Yesterday VMware finally released a fix for the nasty NFS bug that was introduced with ESXi 5.5 Update 1. Customers who were waiting to update to U1 because of this bug can now safely update their hosts and will also get protection from the OpenSSL Heartbleed bug.

But there is another reason why you should update your ESXi 5.5 hosts with this patch very soon - even if you are not affected by the NFS bug and have already applied the Heartbleed fix!

The latest ESXi 5.5 patch includes another fix for a new OpenSSL vulerability that may reportedly be even more dangerous than the Heartbleed bug! It is known as CVE-2014-0224 and allows MitM ("Man in the Middle") attacks on SSL-encrypted connections. VMware has been investigating this and a few other new OpenSSL vulnerabilities since they became publicly known on June 5th, and they are documenting their assessment in KB2079783.

I have updated my ESXi 5.x Patch Matrix to include the new patch. And here is the quickest way to get your standalone ESXi hosts updated:

Enable SSH access on your host, log in to it (e.g. using putty) and run the following commands:
# open firewall for outgoing http requests:
esxcli network firewall ruleset set -e true -r httpClient
# Install the ESXi-5.5.0-20140604001-standard Imageprofile from the VMware Online depot
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140604001-standard
# Reboot your host
reboot


This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.



4 comments:

  1. Thanks Andreas!

    Is there any way to do this with an offline file? The VMware Management VLAN in our environment is not configured to have Internet access. Thanks!

    ReplyDelete
  2. Figured it out!

    1. Download patch from http://www.vmware.com/patchmgr/download.portal
    2. Copy ZIP to datastore
    3. Run this command via SSH: esxcli software profile update -d [datastore_name]folder_name/ESXi550-201406001.zip -p ESXi-5.5.0-20140604001-standard
    4. reboot

    ReplyDelete
  3. If I am running a HP Esxi release will this remove the special HP stuff?

    ReplyDelete
    Replies
    1. Hi JCA,

      *not* if you "esxcli software profile *update*" like mentioned in my post.

      Andreas

      Delete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!