Please note: The out-of-band patch for the Heartbleed issue is provided as two different Offline patch bundles: One includes only all the security fixes of the recently released ESXi 5.5 Update 1 package plus the Heartbleed fix (see KB2076589). The other one includes the complete ESXi 5.5 Update 1 package, the Heartbleed fix and some new functional fixes (Updated VMware Tools and a fixed lsi-mr3 driver - see KB2076120). So you could also consider this an update to Update 1, or an Update 1a ... Let's see if VMware will also update the ESXi 5.5 Update 1 ISO download to include these fixes.
Anyway, head over to the VMware Patch Download page to download the latest fixes!
I will soon update my ESXi VIB Matrix to include these latest ESXi 5.5 builds.
Update 2014-04-19:
And before someone asks this in the comments of this post ... here is how to update your standalone host with the Heartbleed patch ;-)
Enable SSH access on your host, log in to it (e.g. using putty) and run the following commands:
# open firewall for outgoing http requests: esxcli network firewall ruleset set -e true -r httpClient # Install the ESXi 5.5 U1 Heartbleed Imageprofile from the VMware Online depot esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard # Reboot your host reboot
Update 2014-04-19a:
VMware has also published a KB article with detailed instructions on how to resolve the Heartbleed issue for ESXi 5.5. Please remember: This does not only include installing the patch, but also re-generating/replacing the SSL certificate and changing the root password!
This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. 
 Follow him on Twitter to keep up to date with what he posts.
 Follow him on Twitter to keep up to date with what he posts.
 Follow him on Twitter to keep up to date with what he posts.
 Follow him on Twitter to keep up to date with what he posts.
 

Thanks, I was about to ask about standalone host updating. Much appreciated.
ReplyDeleteThanks for your post.
ReplyDeleteI have followed your instruction above but nothing happened after issuing this command
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard
I have been waiting for a while but the command prompt did not appear. So I closed the SSH window and did not issue a 'reboot' command. Should I do it again or if there is anything wrong or it should take a while before the update has been done.
Hi Anonymous,
Deleteit will take a while, because it must download lots of data from the VMware Online depot. Does your host have a direct internet connection? Have you opened the firewall for outgoing http-requests with the first esxcli command?
You can monitor progress (from another ssh window) by looking at the log file /var/log/esxupdate.log).
Andreas
Thank for for a quick reply.
ReplyDeleteI have looked into the log file and found these errors;
~ # tail -f /var/log/esxupdate.log
2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/usr/lib/vmware/esxcli-software", line 432, in main
2014-04-20T09:43:38Z esxupdate: root: ERROR: ret = CMDTABLE[command](options)
2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/usr/lib/vmware/esxcli-software", line 198, in ProfileUpdateCmd
2014-04-20T09:43:38Z esxupdate: root: ERROR: allowDowngrades=opts.downgrade)
2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/Transaction.py", line 596, in InstallVibsFromProfile
2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/Transaction.py", line 347, in _installVibs
2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/Transaction.py", line 390, in _validateAndInstallProfile
2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/HostImage.py", line 639, in Stage
2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/HostImage.py", line 878, in _getLock
And when trying to issue the update command again. It now locked up with this message in the log;
2014-04-20T09:43:38Z esxupdate: root: ERROR: LockingError: Another process is updating the ESX image. Please try again later.
Your kind suggestion will be highly appreciated. Thank you.
Regards,
Teerapan
I have opened the firewall as you suggested but maybe the process was interrupted. Can I do it over again and how to unlock the process? Thank you.
ReplyDeleteTeerapan
Hi Teerapan,
Deleteit looks like the first update process is still running ...
Wait for a line like
"esxupdate: root: DEBUG: Finished execution of command = profile.update"
to appear in esxupdate.log. Then try again.
As a last resort reboot the host and start over.
Andreas
I saw this in the log
ReplyDelete2014-04-20T10:32:16Z esxupdate: HostImage: DEBUG: Host is remediated by installer: locker, boot
2014-04-20T10:32:16Z esxupdate: Transaction: DEBUG: Finished self._installVibs
2014-04-20T10:32:16Z esxupdate: Transaction: DEBUG: Finished SendVob
2014-04-20T10:32:16Z esxupdate: root: DEBUG: Finished execution of command = profile.update
2014-04-20T10:32:16Z esxupdate: root: DEBUG: Completed esxcli output, going to exit esxcli-software
and now send a 'reboot' command to the server and been waiting for about 30 minutes but the system is not yet up for PING. I am so worried now and probably I need to drive to the IDC. Your further help to fix will be highly appreciated.
Teerapan
Somebody at the IDC had to press F1 and everything continues smoothly.
ReplyDeleteThank you for your post. It is very helpful. I already bookmarked your site and will sure come back again for any critical updates.
Teerapan
Hi Teerapan,
DeleteI'm glad that you got this sorted out, but please be aware that you normally cannot use the comments on my blog for support questions. Please head over to the VMware Communities (see https://communities.vmware.com) to ask for support.
Thanks
Andreas
hello
ReplyDeleteI have a dedicated ovh esxi on a customized server image for them. Know if I can install the upgrade or should I ask to whom custom image
The "profile update" command will retain the customization, so you can safely use it to patch your system.
DeleteSay, quick question. I'm not really sure which update we should download and install, we are currently running ESXi 5.5.0 Build 1331820. Thanks, in advance for the help!
ReplyDeleteOkay, so you are running ESXi 5.5 GA, not Update 1.
DeleteThere is an issue right now with Update 1 and accessing NFS storage. If you use NFS datastores then use the fix from KB2076589 resp. the Image Profile ESXi-5.5.0-20140401020s-standard.
If you do not use NFS storage (and do not plan to do so in the near future) then you can also upgrade to Update 1 plus the latest patches by using the fix from KB2076120 resp. the Image Profile ESXi-5.5.0-20140404001-standard.
Andreas
Hi Andreas,
ReplyDeleteThanks for this post. I have followed the steps and updated one of our hosts that was on ESXi 5.5 build 1331820. I had to specify our proxy server to download it and used the following command.
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard --proxy=ip:port
Once this is completed i now see the following parameters. Can you confirm if this has patched the host for Heartbleed ?
VMware ESXi 5.5.0 1746018
Image Profile - (Updated) ESXi-5.5.0-1331820-standard.
Hi Prashit,
Deleteyes, you did it right, and your host is now patched and no longer vulnerable.
Andreas
Hello,
ReplyDeleteFirst of all thanks for this straightforward explanation. It works perfectly. Could you please just explain us where you've found the https://hostupdate.vmware.com URL ?
Best Regards
Thibault
Hi Thibault
Deletethis is the URL that vCenter Update Manager (VUM) uses to access the VMware Online depot and download ESXi patches. You can see that in the VUM configuration where you can also add additional depots.
Andreas
Hi Andreas,
ReplyDeleteThe online method worked perfectly for me.
However I would also like to test the offline method as you have mentioned in previous posts :-).
I tried:
Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
Export-EsxImageProfile -ImageProfile ESXi-5.5.0-20140401020s-standard-1747267139 -ExportToBundle -FilePath .\ESXi-5.5.0-20140401020s-standard-1747267139.zip
But it error'd with = no bundle with that profile id.
Regards
vmcreator
Hi Andreas,
ReplyDeleteI did forget to mention that OFFLINE script that I tried as shown below was for the KB 2076586 patch also released at the same time as KB 2076120. I had applied the KB 2076120 successfully using the ONLINE method.
Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
Export-EsxImageProfile -ImageProfile ESXi-5.5.0-20140401020s-standard-1747267139 -ExportToBundle -FilePath .\ESXi-5.5.0-20140401020s-standard-1747267139.zip
The above script fails with incorrect profile ID.
Regards
vmcreator ([email protected])
Hi vmcreator,
DeleteThe Name of the Image Profile is ESXi-5.5.0-20140401020s-standard
Andreas
What if you're using a Custom HP image, HP-ESXi-5.5.0-Update1-5.73.21 do I follow the same instructions and it will apply the patch but keep customisations or will it change it to a vanilla ESXi?
ReplyDeleteesxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard
P.S. For the odd Dell server I run into, is there a way to do an update without having to re-run the CD installation (bit of a pain when one such server had no CD drive, no iDRACs (iLO) and had to put a USB CD drive together using a USB HDD adaptor and pulling out an old CD Drive out of the nearest victim workstation. So much easier on an HP.
Hi Andy,
Deletethe "esxcli software profile update" command will retain any customizations, so it is safe to use it on a server that was installed with the HP customized ISO.
The same applies to the Dell server.
Andreas