OpenSSL Heartbleed patches for ESXi 5.5 are available now!

VMware has just released updates for ESXi 5.5 that address the OpenSSL Heartbleed vulnerability by updating OpenSSL to the latest version 1.0.1g (Please note: Older versions of ESXi are not vulnerable, because they use OpenSSL versions <1.0.0).

Please note: The out-of-band patch for the Heartbleed issue is provided as two different Offline patch bundles: One includes only all the security fixes of the recently released ESXi 5.5 Update 1 package plus the Heartbleed fix (see KB2076589). The other one includes the complete ESXi 5.5 Update 1 package, the Heartbleed fix and some new functional fixes (Updated VMware Tools and a fixed lsi-mr3 driver - see KB2076120). So you could also consider this an update to Update 1, or an Update 1a ... Let's see if VMware will also update the ESXi 5.5 Update 1 ISO download to include these fixes.

Anyway, head over to the VMware Patch Download page to download the latest fixes!

I will soon update my ESXi VIB Matrix to include these latest ESXi 5.5 builds.

Update 2014-04-19:
And before someone asks this in the comments of this post ... here is how to update your standalone host with the Heartbleed patch ;-)

Enable SSH access on your host, log in to it (e.g. using putty) and run the following commands:
# open firewall for outgoing http requests:
esxcli network firewall ruleset set -e true -r httpClient
# Install the ESXi 5.5 U1 Heartbleed Imageprofile from the VMware Online depot
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard
# Reboot your host
reboot

Update 2014-04-19a:
VMware has also published a KB article with detailed instructions on how to resolve the Heartbleed issue for ESXi 5.5. Please remember: This does not only include installing the patch, but also re-generating/replacing the SSL certificate and changing the root password!


This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.



22 comments:

  1. Thanks, I was about to ask about standalone host updating. Much appreciated.

    ReplyDelete
  2. Thanks for your post.
    I have followed your instruction above but nothing happened after issuing this command

    esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard

    I have been waiting for a while but the command prompt did not appear. So I closed the SSH window and did not issue a 'reboot' command. Should I do it again or if there is anything wrong or it should take a while before the update has been done.

    ReplyDelete
    Replies
    1. Hi Anonymous,

      it will take a while, because it must download lots of data from the VMware Online depot. Does your host have a direct internet connection? Have you opened the firewall for outgoing http-requests with the first esxcli command?

      You can monitor progress (from another ssh window) by looking at the log file /var/log/esxupdate.log).

      Andreas

      Delete
  3. Thank for for a quick reply.
    I have looked into the log file and found these errors;

    ~ # tail -f /var/log/esxupdate.log
    2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/usr/lib/vmware/esxcli-software", line 432, in main
    2014-04-20T09:43:38Z esxupdate: root: ERROR: ret = CMDTABLE[command](options)
    2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/usr/lib/vmware/esxcli-software", line 198, in ProfileUpdateCmd
    2014-04-20T09:43:38Z esxupdate: root: ERROR: allowDowngrades=opts.downgrade)
    2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/Transaction.py", line 596, in InstallVibsFromProfile
    2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/Transaction.py", line 347, in _installVibs
    2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/Transaction.py", line 390, in _validateAndInstallProfile
    2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/HostImage.py", line 639, in Stage
    2014-04-20T09:43:38Z esxupdate: root: ERROR: File "/build/mts/release/bora-1623387/bora/build/esx/release/vmvisor/sys-boot/lib/python2.6/site-packages/vmware/esximage/HostImage.py", line 878, in _getLock

    And when trying to issue the update command again. It now locked up with this message in the log;

    2014-04-20T09:43:38Z esxupdate: root: ERROR: LockingError: Another process is updating the ESX image. Please try again later.

    Your kind suggestion will be highly appreciated. Thank you.

    Regards,
    Teerapan

    ReplyDelete
  4. I have opened the firewall as you suggested but maybe the process was interrupted. Can I do it over again and how to unlock the process? Thank you.

    Teerapan

    ReplyDelete
    Replies
    1. Hi Teerapan,

      it looks like the first update process is still running ...
      Wait for a line like
      "esxupdate: root: DEBUG: Finished execution of command = profile.update"
      to appear in esxupdate.log. Then try again.

      As a last resort reboot the host and start over.

      Andreas

      Delete
  5. I saw this in the log

    2014-04-20T10:32:16Z esxupdate: HostImage: DEBUG: Host is remediated by installer: locker, boot
    2014-04-20T10:32:16Z esxupdate: Transaction: DEBUG: Finished self._installVibs
    2014-04-20T10:32:16Z esxupdate: Transaction: DEBUG: Finished SendVob
    2014-04-20T10:32:16Z esxupdate: root: DEBUG: Finished execution of command = profile.update
    2014-04-20T10:32:16Z esxupdate: root: DEBUG: Completed esxcli output, going to exit esxcli-software

    and now send a 'reboot' command to the server and been waiting for about 30 minutes but the system is not yet up for PING. I am so worried now and probably I need to drive to the IDC. Your further help to fix will be highly appreciated.

    Teerapan

    ReplyDelete
  6. Somebody at the IDC had to press F1 and everything continues smoothly.
    Thank you for your post. It is very helpful. I already bookmarked your site and will sure come back again for any critical updates.

    Teerapan

    ReplyDelete
    Replies
    1. Hi Teerapan,

      I'm glad that you got this sorted out, but please be aware that you normally cannot use the comments on my blog for support questions. Please head over to the VMware Communities (see https://communities.vmware.com) to ask for support.

      Thanks
      Andreas

      Delete
  7. hello

    I have a dedicated ovh esxi on a customized server image for them. Know if I can install the upgrade or should I ask to whom custom image

    ReplyDelete
    Replies
    1. The "profile update" command will retain the customization, so you can safely use it to patch your system.

      Delete
  8. Say, quick question. I'm not really sure which update we should download and install, we are currently running ESXi 5.5.0 Build 1331820. Thanks, in advance for the help!

    ReplyDelete
    Replies
    1. Okay, so you are running ESXi 5.5 GA, not Update 1.

      There is an issue right now with Update 1 and accessing NFS storage. If you use NFS datastores then use the fix from KB2076589 resp. the Image Profile ESXi-5.5.0-20140401020s-standard.

      If you do not use NFS storage (and do not plan to do so in the near future) then you can also upgrade to Update 1 plus the latest patches by using the fix from KB2076120 resp. the Image Profile ESXi-5.5.0-20140404001-standard.

      Andreas

      Delete
  9. Hi Andreas,

    Thanks for this post. I have followed the steps and updated one of our hosts that was on ESXi 5.5 build 1331820. I had to specify our proxy server to download it and used the following command.

    esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard --proxy=ip:port

    Once this is completed i now see the following parameters. Can you confirm if this has patched the host for Heartbleed ?

    VMware ESXi 5.5.0 1746018
    Image Profile - (Updated) ESXi-5.5.0-1331820-standard.

    ReplyDelete
    Replies
    1. Hi Prashit,

      yes, you did it right, and your host is now patched and no longer vulnerable.

      Andreas

      Delete
  10. Hello,

    First of all thanks for this straightforward explanation. It works perfectly. Could you please just explain us where you've found the https://hostupdate.vmware.com URL ?

    Best Regards

    Thibault

    ReplyDelete
    Replies
    1. Hi Thibault

      this is the URL that vCenter Update Manager (VUM) uses to access the VMware Online depot and download ESXi patches. You can see that in the VUM configuration where you can also add additional depots.

      Andreas

      Delete
  11. Hi Andreas,

    The online method worked perfectly for me.

    However I would also like to test the offline method as you have mentioned in previous posts :-).

    I tried:

    Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
    Export-EsxImageProfile -ImageProfile ESXi-5.5.0-20140401020s-standard-1747267139 -ExportToBundle -FilePath .\ESXi-5.5.0-20140401020s-standard-1747267139.zip

    But it error'd with = no bundle with that profile id.

    Regards

    vmcreator

    ReplyDelete
  12. Hi Andreas,

    I did forget to mention that OFFLINE script that I tried as shown below was for the KB 2076586 patch also released at the same time as KB 2076120. I had applied the KB 2076120 successfully using the ONLINE method.

    Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
    Export-EsxImageProfile -ImageProfile ESXi-5.5.0-20140401020s-standard-1747267139 -ExportToBundle -FilePath .\ESXi-5.5.0-20140401020s-standard-1747267139.zip

    The above script fails with incorrect profile ID.

    Regards

    vmcreator ([email protected])

    ReplyDelete
    Replies
    1. Hi vmcreator,
      The Name of the Image Profile is ESXi-5.5.0-20140401020s-standard
      Andreas

      Delete
  13. What if you're using a Custom HP image, HP-ESXi-5.5.0-Update1-5.73.21 do I follow the same instructions and it will apply the patch but keep customisations or will it change it to a vanilla ESXi?

    esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard

    P.S. For the odd Dell server I run into, is there a way to do an update without having to re-run the CD installation (bit of a pain when one such server had no CD drive, no iDRACs (iLO) and had to put a USB CD drive together using a USB HDD adaptor and pulling out an old CD Drive out of the nearest victim workstation. So much easier on an HP.

    ReplyDelete
    Replies
    1. Hi Andy,

      the "esxcli software profile update" command will retain any customizations, so it is safe to use it on a server that was installed with the HP customized ISO.
      The same applies to the Dell server.

      Andreas

      Delete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!