How can an administrator mount an image to install a hot-fix containing an updated security patch?

vCenter Server 6.7 Update 3p | NOV 23 2021 | ISO Build 18831133

vCenter Server Appliance 6.7 Update 3p | NOV 23 2021  | ISO Build 18831133

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

• What's New
• Earlier Releases of vCenter Server 6.7
• Upgrade Notes for This Release
• Patches Contained in this Release
• Product Support Notices
• Resolved Issues
• Known Issues

What's New

• vCenter Server 6.7 Update 3p resolves CVE-2021-21980 and CVE-2021-22049. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2021-0027. 

• For Photon OS updates, see VMware vCenter Server Appliance Photon OS Security Patches. 

Earlier Releases of vCenter Server 6.7

New features, resolved, and known issues of vCenter Server are described in the release notes for each release. Release notes for earlier releases of vCenter Server 6.7 are:

• VMware vCenter Server 6.7 Update 3o Release Notes
• VMware vCenter Server 6.7 Update 3n Release Notes
• VMware vCenter Server 6.7 Update 3m Release Notes
• VMware vCenter Server 6.7 Update 3l Release Notes
• VMware vCenter Server 6.7 Update 3j Release Notes
• VMware vCenter Server 6.7 Update 3g Release Notes
• VMware vCenter Server 6.7 Update 3f Release Notes
• VMware vCenter Server 6.7 Update 3b Release Notes
• VMware vCenter Server 6.7 Update 3a Release Notes
• VMware vCenter Server 6.7 Update 3 Release Notes
• VMware vCenter Server 6.7 Update 2c Release Notes
• VMware vCenter Server 6.7 Update 2a Release Notes
• VMware vCenter Server 6.7 Update 2 Release Notes
• VMware vCenter Server 6.7 Update 1b Release Notes
• VMware vCenter Server 6.7 Update 1 Release Notes
• VMware vCenter Server 6.7.0d Release Notes
• VMware vCenter Server 6.7.0c Release Notes
• VMware vCenter Server 6.7.0b Release Notes
• VMware vCenter Server 6.7.0a Release Notes
• VMware vSphere 6.7 Release Notes

For internationalization, compatibility, installation and upgrade, open source components and product support notices see the VMware vCenter Sever 6.7 Update 1 Release Notes.

Upgrade Notes for This Release

For more information on vCenter Server versions that support upgrade to vCenter Server 6.7 Update 3p, refer to VMware knowledge base article 67077.

Patches Contained in This Release

This release of vCenter Server 6.7 Update 3p delivers the following patch:

• Full Patch for VMware vCenter Server Appliance 6.7 Update 3p

NOTE: vCenter Server 6.7 Update 3p does not provide a security patch to update the JRE component of vCenter Server for Windows and Platform Services Controller for Windows. Instead, you must download the VMware-VIM-all-6.7.0-18831133.iso file from VMware Customer Connect. For more information, see Download the vCenter Server Installer for Windows.

Full Patch for VMware vCenter Server Appliance 6.7 Update 3p

Product Patch for vCenter Server Appliance containing VMware software fixes, security fixes, and third-party product fixes (for example, JRE and tcServer).

This patch is applicable to the vCenter Server Appliance and Platform Services Controller Appliance.

For vCenter Server and Platform Services Controller Appliances

Download and Installation

To find the VMware vCenter Server 6.7 Update 3p patch at VMware Customer Connect, from the Select a Product drop-down menu, select VC and from the Select a Version drop-down menu, select 6.7.0, and click Search.

1. Attach the VMware-vCenter-Server-Appliance-6.7.0.51000-18831133-patch-FP.iso file to the vCenter Server Appliance CD or DVD drive.
2. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:
   • To stage the ISO:
     software-packages stage --iso
   • To see the staged content:
     software-packages list --staged
   • To install the staged rpms:
     software-packages install --staged

For more information on using the vCenter Server Appliance shells, see VMware knowledge base article 2100508.

For more information on patching the vCenter Server Appliance, see Patching the vCenter Server Appliance.

For more information on staging patches, see Stage Patches to vCenter Server Appliance.

For more information on installing patches, see Install vCenter Server Appliance Patches.

For issues resolved in this patch see Resolved Issues.

For Photon OS updates, see VMware vCenter Server Appliance Photon OS Security Patches. 

For more information on patching using the Appliance Management Interface, see Patching the vCenter Server Appliance by Using the Appliance Management Interface.
 

Product Support Notices

• Deprecation of Shares and Limit – IOPS fields in the virtual machine Edit Settings dialog: Starting from vCenter Server 6.7 Update 3p, the use of Shares and Limit – IOPS fields in the virtual machine Edit Settings menu is deprecated, because all I/O settings are only defined by using a storage policy. In a future vSphere release, the two fields are planned to be removed from the virtual machine Edit Settings dialog. For more information, see VMware knowledge base article 85696 and About Virtual Machine Storage Policies.

Resolved Issues

The resolved issues are grouped as follows.

• Miscellaneous Issues
• Storage Issues
• Security Issues
• Installation, Upgrade and Migration Issues
• Auto Deploy and Image Builder Issues
• Server Configuration Issues
• vSphere HA and Fault Tolerance Issues
• Networking Issues
• Virtual Machine Management Issues

Miscellaneous Issues

• You do not receive email notifications for vCenter Server alarms

  If you select the Keep the target's current state condition when you create an event-based alarm in your vCenter Server system, you might not receive email notifications. The issue is specific to the Keep the target's current state condition.

  This issue is resolved in this release.

• vCenter Single Sign-On log files report errors about tomcat-users.xml

  vCenter Single Sign-On log files at /storage/log might pile multiple errors similar to java.io.FileNotFoundException tomcat-users.xml (No such file or directory). As a result, you see the /storage/log almost full.

  This issue is resolved in this release.

• You see warning messages for expiring password even though the account password is set to never expire

  When you log in to your vCenter Server system with admin credentials by using either the vSphere Client or vSphere Web Client, you might see a warning banner such as Your password will expire in (X) days, even though the password of the admin account is set to never expire.

  This issue is resolved in this release.

• You see an error in method invocation when updating vCenter Server Appliance by using the vCenter Server Appliance Management Interface

  Due to an issue with the HTTPS proxy server configuration, when you click the Update tab in the vCenter Server Appliance Management Interface, you might see the message Error in method Invocation.

  This issue is resolved in this release.

• The hostd service might fail during Network File Copy (NFC) operations

  Due to a rare race condition, the hostd service might fail during Network File Copy (NFC) operations, used for virtual machine migration, such as Storage vMotion, and workflows related to vSphere Replication.

  This issue is resolved in this release.

Storage Issues

• Multiple concurrent updates of First Class Disk (FCD) metadata might lead to metadata corruption

  In case of multiple concurrent updates of FCD metadata, such as automated scripts that have multiple threads and they all update FCD metadata at the same time, some updates might not complete. However, you see no notification of failure. As a result, FCD metadata might not be up-to-date and become inconsistent.

  This issue is resolved in this release. The fix adds in-memory locks for FCD metadata updates and a notification if a metadata update does not complete.

• Operations with Cloud Native Storage (CNS) volumes on vCenter Server might fail due to a sync failure

  If several FCDs fail at the same time, a full sync of CNS volumes might stop. As a result, some operations, such as to provision a PersistentVolumeClaim (PVC) in a vCenter Server, cannot complete.

  This issue is resolved in this release.

• Blocked FCD operations might delay response to PersistentVolumeClaims

  A rare race condition of the syncDatastore update objects in the internal datastoreQueue might block some FCD operations and delay response to PersistentVolumeClaims. As a result, you might see vSAN health service not up to date.

  This issue is resolved in this release. The fix makes sure that no update objects are blocked during full sync operations. 

Security Issues

• vCenter Server 6.7 Update 3p delivers the following security updates:
  • The OpenSSL library is updated to version openssl- 1.0.2za.
  • The Oracle (Sun) JRE and JDK package is updated to version 1.8.0.301.
  • The Jackson package is updated to version 2.11.4.
  • The Apache Tomcat server is updated to version 8.5.68.
  • The Spring package is updated to version 4.3.30.
  • Eclipse Jetty is updated to version 9.4.43.v20210629.
  • The Cryptacular library is updated to version 1.2.4.
  • The XStream library is updated to version 1.4.18.
  • The urllib3 client is updated to version 1.21.1.
  • The Common Compress library is updated to version 1.21.
  • PostgreSQL is updated to version 9.4.26.
  • The libxml2 library is updated to version 2.9.12.
  • The c-ares library is updated to version 1.17.1.
  • cURL is updated to version 7.76.1.

Installation, Upgrade and Migration Issues

• You cannot install a vCenter Server Appliance because the list of networks in the vSphere Client is empty

  If a datacenter is nested in a data center folder, you do not see the list of available networks when you try to deploy a new vCenter Server Appliance by using the vSphere Client.

  This issue is resolved in this release.

• Cold migration might fail for virtual machines with size larger than 1 TB

  Cold migration of virtual machines that exceed 1TB in size might take long. As a result, the NFC client does not get updates from vCenter Server and might consider the operation as timed out.

  This issue is resolved in this release.

Auto Deploy and Image Builder Issues

• Due to a caching issue, ESXi hosts might fail to boot from Auto Deploy after an upgrade to vCenter Server 6.7 Update 3p

  After you upgrade your system to vCenter Server 6.7 Update 3p, stale cache data might cause Auto Deploy to stop provisioning ESXi hosts. The hosts fail with an error such as Could not boot: HTTP 5xx Server Error.

  This issue is resolved in this release.

Server Configuration Issues

• Adding ESXi hosts to an Active Directory domain by using the VMware vSphere Authentication Proxy service might fail

  Due to some additional permission checks from the vSphere Authentication Proxy service, adding an ESXi host to an Active Directory domain might fail. The issue is specific for vSphere Authentication Proxy configurations where some users do not have Domain Admins privileges on the Active Directory.

  This issue is resolved in this release. The fix reduces the user access checks by the vSphere Authentication Proxy service to only the required minimum.

• If the NT LAN Manager (NTLM) is disabled on Active Directory, configuration of the vSphere Authentication Proxy service might fail

  You cannot configure the vSphere Authentication Proxy service on an Active Directory when NTLM is disabled, because by default the vSphere Authentication Proxy uses NTLMv1 for initial communication.

  This issue is resolved in this release. The fix changes the default protocol for the initial communication of the vSphere Authentication Proxy to NTLMv2.

vSphere HA and Fault Tolerance Issues

• You do not see an alarm when the secondary VM in a vSphere Fault Tolerance (FT) pair cannot power on

  Even though you set a vCenter cannot start the Fault Tolerance secondary VM alarm in the vSphere Client or vSphere Web Client, you do not see the alarm when the secondary VM that duplicates a mission critical virtual machine protected by FT fails to start.

  This issue is resolved in this release.

Networking Issues

• You cannot remove an ESXi host from а vSphere Distributed Switch (VDS)

  In certain cases, you might not be able to remove an ESXi host from а VDS, even if no virtual machines are active on that host. The issue occurs when an ESXi host enters maintenance mode and the vSphere Distributed Resource Scheduler (DRS) moves a virtual machine template to another host, but the VDS port does not change. As a result, you cannot remove the host from VDS and might also see out of sync issues.

  This issue is resolved in this release.

• If device backing is not configured in a virtual NIC, the vpxd service might fail while creating a new virtual machine

  If device backing is not configured in a virtual NIC, the vpxd service might not handle the null pointer value and fail while creating a new virtual machine. As a result, you must restart vCenter Server.

  This issue is resolved in this release. The fix adds the exception vim.fault.InvalidDeviceBacking for such cases to prevent the vpxd service from failing. 

• You see an error in the vCenter Server network configuration from VAMI after a change to the maximum transmission unit (MTU) to less than 1280 bytes

  After you change the MTU on a vSphere Distributed Switch to a size lower than 1280 bytes, you might see an error in the VAMI Networking screen such as print.Error('com.vmware.applmgmt.err_operation_failed', 'Operation Failed.', **{}). The issue occurs when an IPV4 MTU gets a value lower than 1280, which leads to disabling the IPv6 stack due to a faulty check logic, and causes networking APIs to fail.

  This issue is resolved in this release.

Virtual Machine Management Issues

• NEW: Deployment of virtual machines fails with an error Could not power on virtual machine: No space left on device

  In rare cases, vSphere Storage DRS might over recommend some datastores and lead to an overload of those datastores, and imbalance of datastore clusters. In extreme cases, power-on of virtual machines might fail due to swap file creation failure. In the vSphere Client or vSphere Web Client, you see an error such as Could not power on virtual machine: No space left on device. You can backtrace the error in the /var/log/vmware/vpxd/drmdump directory.

  This issue is resolved in this release.

• Rare issue with the native snapshot enabled policy of virtual machines might cause the vpxd service to fail with a core dump

  In certain conditions, the native snapshot enabled policy of virtual machines might cause the vpxd service to fail with a core dump pointing to an issue with ReInitializeVmOpState in vmoperation.cpp. In the backtrace, you see logs similar to:
  #9 0x000055d3eb5e2b0f in Vpxd::VmOperation::SetNativeSnapshotDisks (this=this@entry=0x7fc388a8ff00)   at bora/vpx/vpxd/vmcheck/vmOperation.cpp:648
#10 0x000055d3eb5e2b65 in Vpxd::VmOperation::ReInitializeVmOpState (this=this@entry=0x7fc388a8ff00,   checkState=checkState@entry=0x7fc388a90178) at bora/vpx/vpxd/vmcheck/vmOperation.cpp:554

  This issue is resolved in this release.

Known Issues

The known issues are grouped as follows.

• Installation, Upgrade and Migration Issues
• vCenter Server and vSphere Client Issues
• Known Issues from Prior Releases

Installation, Upgrade and Migration Issues

• If an external SQL database connected to your vCenter Server system does not support TLS 1.2, installation of or upgrade to vCenter Server 6.7 Update 3p fails

  The version of Oracle (Sun) JRE in vCenter Server 6.7 Update 3p requires TLS 1.2 support for external communication. As a result, if your system has external SQL databases that do not support TLS 1.2, fresh installation or upgrades, or updates to vCenter Server 6.7 Update 3p fail. In the vpxd service logs, you see errors similar to:
  vpxd-svcs log snip
  ----2021-08-22T10:13:47.855-07:00 [main ERROR com.vmware.cis.core.kv.impl.Provider.VCDBProviderFactory opId=] SQL Error: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "The server selected protocol version TLS10 is not accepted by client preferences [TLS12]". ClientConnectionId:xxxxxxxxx)

  Workaround: Before installation or upgrades, or updates to vCenter Server 6.7 Update 3p, patch the external SQL servers to enable TLS 1.2 support.

• Upgrade from vCenter Server 6.5.x to 6.7.x might not deploy anti-affinity rules, VM Overrides, and VM Restart Priority on new virtual machines

  After an upgrade from vCenter Server 6.5.x to 6.7.x, you might see that existing anti-affinity rules, VM Overrides, and VM Restart Priority do not apply to new VMs.

  Workaround: Manually update the anti-affinity rules, VM Overrides and VM Restart Priority to make sure new VMs have the same rules and settings as old VMs.

vCenter Server and vSphere Client Issues

• You see Certificate Status alarm in the vSphere Client for expiring certificates in the vSphere Certificate Manager Utility backup store

  The VMware Certificate Manager uses the vSphere Certificate Manager Utility backup store (BACKUP_STORE) to support certificate revert, keeping only the most recent state. However, the vpxd service throws a Certificate Status error when monitoring the BACKUP_STORE, if it contains any expired certificates, even though this is expected.

  Workaround: Delete the certificate entries in BACKUP_STORE by using the following vecs-cli commands:

  1. Get expired certificate alias in BACKUP_STORE:
     /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store BACKUP_STORE --text
  2. Delete certificate in BACKUP_STORE:
     /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias <alias>

Known Issues from Prior Releases

To view a list of previous known issues, click here.

What PowerShell cmdlet can be used to add permissions to a share?

What is bootstrap program is a WDS?

Which firewall rule group must be enabled to allow for the remote use of the Task Scheduler snap in?

What PowerShell cmdlet will allow you to review the status of a running deduplication job?