CLI Upgrade VMware Servers to ESXi 6.7 U2

Scheduled non-working hours to upgrade and patch our VMware Servers for Intel CPU's vulnerabilities - Microarchitectural Data Sampling (MDS).

Sure. Veeam Backup to be 9.5 Update 4a also.

At the beginning, got this Dependency Error:
# esxcli software vib update --depot=/vmfs/volumes/datastore1/Patches/update-from-esxi6.7-6.7_update02.zip

[DependencyError]
VIB VMware_bootbank_esx-base_6.7.0-2.48.13006603 requires esx-update << 6.7.0-2.49, but the requirement cannot be satisfied within the ImageProfile.
VIB VMware_bootbank_esx-base_6.7.0-2.48.13006603 requires esx-update >= 6.7.0-2.48, but the requirement cannot be satisfied within the ImageProfile.

Please refer to the log file for more details.


Identified that required ESXi-6.7.0-20190402001-standard
# esxcli software sources profile list --depot=/vmfs/volumes/datastore1/Patches/update-from-esxi6.7-6.7_update02.zip

   Name                              Vendor        Acceptance Level  Creation Time        Modification Time
   --------------------------------  ------------  ----------------  -------------------  -------------------
   ESXi-6.7.0-20190402001-standard   VMware, Inc.  PartnerSupported  2019-03-27T04:46:55  2019-03-27T04:46:55
   ESXi-6.7.0-20190401001s-standard  VMware, Inc.  PartnerSupported  2019-03-27T04:46:55  2019-03-27T04:46:55
   ESXi-6.7.0-20190401001s-no-tools  VMware, Inc.  PartnerSupported  2019-03-27T04:46:55  2019-03-27T04:46:55
   ESXi-6.7.0-20190402001-no-tools   VMware, Inc.  PartnerSupported  2019-03-27T04:46:55  2019-03-27T04:46:55


Updated the Firewall Policy for downloading the Requirement. Then, installed those together:
# esxcli network firewall ruleset set -e true -r httpClient

# esxcli software profile update -p ESXi-6.7.0-20190402001-standard --depot=/vmfs/volumes/datastore1/Patches/update-from-esxi6.7-6.7_update02.zip

Update Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed: VMW_bootbank_bnxtnet_20.6.101.7-21vmw.670.2.48.13006603, VMW_bootbank_bnxtroce_20.6.101.0-20vmw.670.1.28.10302608, VMW_bootbank_brcmfcoe_11.4.1078.19-12vmw.670.2.48.13006603, [...]


# esxcli network firewall ruleset set -e false -r httpClient


Checked ESXi Side-Channel-Aware Scheduler setting. SCAv1 decided. So, hyperthreadingMitigation & hyperthreadingMitigationIntraVM TRUE:
# esxcli system settings kernel list -o hyperthreadingMitigation

Name                      Type  Configured  Runtime  Default  Description
------------------------  ----  ----------  -------  -------  --------------------
hyperthreadingMitigation  Bool  TRUE        TRUE     FALSE    Restrict the
                                                              simultaneous use of
                                                              logical processors
                                                              from the same
                                                              hyperthreaded core
                                                              as necessary to
                                                              mitigate a security
                                                              vulnerability.

# esxcli system settings kernel list -o hyperthreadingMitigationIntraVM

Name                             Type  Configured  Runtime  Default  Description
-------------------------------  ----  ----------  -------  -------  ------------------------------------------------------------------------------------------------------------------------------------------------------
hyperthreadingMitigationIntraVM  Bool  TRUE        TRUE     TRUE     Restrict the simultaneous use of logical
                                                                     processors from the same hyperthreaded
                                                                     core as necessary to mitigate a security
                                                                     vulnerability within a single VM.


If not yet TRUE:
# esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE

# esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v TRUE


Reboot, then:
# esxcli system maintenanceMode set --enable true
# esxcli system shutdown reboot --reason "Patch update-from-esxi6.7-6.7_update02.zip"


Last:
# esxcli software vib update --depot=/vmfs/volumes/{UUID}/Patches/ESXi670-201905001.zip
# esxcli system maintenanceMode set --enable true
# esxcli system shutdown reboot --reason "Patch ESXi670-201905001.zip"


Appendix: Security & Performance
Performance of vSphere 6.7 Scheduling Options
https://www.vmware.com/techpapers/2018/scheduler-options-vsphere67u2-perf.html

Host security boundary
Relying on the host security boundary is not recommended. Using L1TF concurrent-context attack vector, a VM on the host can observe any information on that host.

VM security boundary
The VM security boundary prevents information leaking between two different VMs on a host or between a VM and the hypervisor. Concurrent-context speculative side-channel attacks can be used to reveal information across different security domains of a single ESXi VM.

This option provides a balance of performance and security for environments where the VM is considered the information security boundary.

Process security boundary
The process security boundary ensures that concurrent-context attacks using speculative side channels do not expose information across different processes or security contexts within the guest.
Default – Unmitigated and most performance – Not concerned about L1TF security vulnerability.
 * HyperthreadingMitigation = FALSE
 * HyperthreadingMitigationIntraVM = N/A

SCAv1 - Auto Hyperthreading off – What was made available at L1TF announcement in August 2018.
 * HyperthreadingMitigation = TRUE
 * HyperthreadingMitigationIntraVM = TRUE

SCAv2 - New policy in vSphere 6.7 U2
 * HyperthreadingMitigation = TRUE
 * HyperthreadingMitigationIntraVM = FALSE


References
VMware ESXi 6.7 Update 2 Release Notes
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html


VMSA-2019-0008

  • CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) - CVSSv3 = 6.5
  • CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVSSv3 = 6.5
  • CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) - CVSSv3 = 6.5
  • CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVSSv3 = 3.8


Release Notes for Veeam Backup Replication 9.5 Update 4a
https://www.veeam.com/kb2926


SCAv1 vs SCAv2

(source: vmware)


Update