2020. 3. 3. 05:24ㆍ카테고리 없음
VMware issued a security advisory containing severalsecurity updates for its vSphere ESXi and VMware vCenter Server products topatch command injection and information disclosure vulnerabilities.Two of the vulnerabilities, CVE-2019-5532 and CVE-2019-5534,are rated as “important” with CVE-2017-16544 and CVE-2019-5531 considered “moderate”issues,reported.CVE-2019-5534 covers an issue where virtual machines deployedin an Open Virtualization Format (OVF) could expose login information via thevirtual machine’s vAppConfig properties. This can be resolved by updating tothe latest version.CVE-2019-5532 covers a situation where a malicious user withaccess to the log files containing vCenter OVF-properties of a virtual machinedeployed from an OVF may be able to view the credentials used to deploy theOVF. This is typically done through the root account of the virtual machine.
Apatched version is now available for upload.CVE-2019-5531 involves an information disclosurevulnerability in clients arising from insufficient session expiration thatwould allow an attacker with physical access or an ability to mimic a websocketconnection to a user’s browser to possibly obtain control of a VM Console afterthe user has logged out or their session has timed out. A patched version isnow available for upload.CVE-2017-16544 is a vulnerability in ESXi where it containsa command injection vulnerability due to the use of vulnerable version ofbusybox that does not sanitize filenames. An attacker may exploit this issue bytricking an ESXi Admin into executing shell commands by providing a maliciousfile, VMware wrote. A patched version is now available for upload.
There a several ways to patch a VMware ESXi server. VSphere Update Manager (VUM) can update for example a complete ESXi host cluster fully automatic. VSphere Update Manager requires a vCenter Server.
When you don’t have a vCenter Server patching can be done from the command line.Here is a quick overview how to patch an ESXi 6.x host to the latest patch.Step 1. Download the latest patch bundle from the VMware Web site,. VMware ESXi patches are cumulative!
Each patch bundle (.zip archive) includes all the updates from prior patches.Step 2. Upload the patch bundle (zip) to a (central) datastore with the vSphere Client (prior vSphere 6.5), vSphere Web Client, ESXi host client.Step 3.
Enable SSHIn the vSphere Web client start the SSH service and make a SSH session to the ESXi hostStep 4. Put the host in maintenance modevim-cmd hostsvc/maintenancemodeenterStep 5. Install the patch bundleUsing esxcli with the install method has the possibility of overwriting existing drivers.
Are Esxi Patches Cumulative
If you are using third-party ESXi images, VMware recommends using the update method to prevent an unbootable state. The following command will install the patch bunde:esxcli software vib update -d /vmfs/volumes/datastore/patchbundle.zipFor example install HPE ESXi 6 Update 3:esxcli software vib update -d /vmfs/volumes/VMFS01/VMware-ESXi-6.0.0-Update3-5050593-HPE-600.9.7.0.17-Feb2017-depot.zipAfter the patch bundle is installed check the message.
It must say “The update completed successfully, but the system needs to be rebooted for changes to be effective.”Step 6. Reboot the host by entering the following command:rebootStep 7. Make a SSH session to the ESXi host and exit maintenance modevim-cmd hostsvc/maintenancemodeexit.