Important Update - On Mar 20 2018, VMware VMSA-2018-0004.3 announced that CVE-2017-5715 (Spectre-2) mitigation is now included in the latest patch that you should be using instead of the older patch featured in the original article below . You'll find the newer article that features an even easier update method here:

Article below as it originally appeared.

Let's keep this recent story in perspective, some excerpts below, but you should read the whole article:

The Security Landscape: Pwn2Own 2017

...two teams succeeded in demonstrating arbitrary host code execution on VMware Workstation. Today, VMware is releasing updated versions of VMware vSphere ESXi, VMware Fusion, and VMware Workstation to address these vulnerabilities. VMSA-2017-0006 contains details on impacted versions and the releases which contain fixes.

No active exploitation

VMware is not aware of any active exploitation of the vulnerabilities revealed in this competition. Though the vulnerabilities seem to apply to all VMware virtual platforms (ESXi, Fusion, and Workstation), demonstration exploit code appears to exist only for VMware Workstation for Windows.

...

VMware also recommends examining the vSphere Hardening Guide and

vSphere Security Guide. Among the recommendations in the guides is to remove unnecessary virtual hardware.

...

Customers should consider the need to update for a full mitigation, the absence of active exploitation, the pace at which updates can safely be deployed, and any other risk mitigations (like IDS applications) which may protect their environments. At this point VMware’s recommendation is that customers expedite updating, though need not take emergency measures like taking environments offline.

ESXi 6.5.0a, Build 5224934 released 2017-03-28

VMware Security Advisory

VMSA-2017-0006 - VMware ESXi, Workstation and Fusion updates address critical and moderate security issues ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host. VMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues.

kb.vmware.com/kb/2149572 Patch Release ESXi650-201703002

kb.vmware.com/kb/2149573 Patch ESXi650-201703410-SG: Updates esx-base, vsanhealth, vsan VIBs

ESXI 6.5.0a (most recent-release of ESXi in ISO format as of Mar 31 2017)

VMware Release Notes for ESXi 6.5.0a | 02 FEB 2017 | ISO Build 4887370

Warning:

vCenter/VCSA 6.x should be upgraded to 6.5.0a before upgrading your host(s) to ESXi 6.5.0a Build 5224934, see:

How to easily update your VMware vCenter Server Appliance from VCSA 6.5 to 6.5.0a

Feb 07 2017 I have only tested this method when upgrading from 6.5.0a Build 4887370 to Build 5224934, your experience from earlier 6.x versions may vary. This is not official VMware documentation, it's merely a convenient upgrade technique that may help in lab tests, it's up to you to adhere to the backup-first advice detailed below.

If you're in production, beware, this just came out 3 days ago. This article is for the lab, where you may want to give this critical patch a try. All the background story on how this easy ESXCLI upgrade method came about was covered in my earlier articles about updating 6.0 U2 and 6.5.

No new license needed to go from 6.0.x or 6.5.0a Build 4887370 l to 6.5.0a Build 5224934 Users of the free hypervisor and folks who can't download the GA Offline bundle now have a path forward as well, without needing to read TinkerTry's My VMware's "You either are not entitled or do not have permissions to download this product." error, and what to do about it.

Once you've completed ALL of the following preparation steps:

you can now continue with this simple approach to upgrading your lab environment. Unsupported, at your own risk, see the full disclaimer at below left.

What's nice about this ESXCLI upgrade method is that its super simple and you don't have to worry about requesting a trial to be able to log into My VMware to download your ESXi 6.5.0a ISO:

Name: VMware-VMvisor-Installer-201701001-4887370.x86_64.iso

Release Date: 2017-02-02

Build Number: 4887370

Download and upgrade to 6.5.0a plus the VMSA-2017-0006 update using the patch directly from the VMware Online Depot

The entire process including reboot is usually well under 10 minutes. Triple-clicking on a line of code below highlights the whole thing, to right-click, copy into your clipboard:

Open an SSH session (eg. PuTTY) to your ESXi 6.0.x server

(if you forgot to enable SSH, here's how) Turn on maintenance mode, or ensure you've set your ESXi host to automatically gracefully shutdown all VMs upon host reboot, or shutdown all the VMs gracefully that you care about, including VCSA. Firewall allow outbound http requests - Paste the one line below into into your SSH session, then press enter: esxcli network firewall ruleset set -e true -r httpClient More details about the firewall here. Pull down ESXi Image Profile using https and run patch script - Paste the line below into into your SSH session, then hit enter and wait while nothing seems to happen, taking somewhere between roughly 3 to 10 minutes before the completion screen (sample below) appears: esxcli software profile install -p ESXi-6.5.0-20170304101-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Wait time depending mostly on the the speed of the ESXi's connection to the internet, and a little on the speed of the storage media that ESXi is installed on. Firewall disallow outbound http requests - Paste the line below into into your SSH session: esxcli network firewall ruleset set -e false -r httpClient If you turned on maintenance mode earlier, remember to turn maintenance mode off. If you normally leave SSH access off, go ahead and disable it now. Type reboot and hit return (to restart your ESXi server), or use your favorite ESXi UI to restart the host. After the reboot is done, it would be a good idea to test login using ESXi host client, pointing your browser to the IP or hostname of your just-graded server, to be sure everthing seems to be working right.

You're done!

Special thanks to VMware ESXi Patch Tracker by Andreas Peetz at the VMware Front Experience Blog. This upgrade test was performed on a TinkerTry'd VMware HCL system. Yes, on both the very popular 8 core and the rather special 12 core version of the beloved Supermicro SuperServer SYS-5028D-TN4T system.

Here's how my upgrade from 6.5.0a Build 4887370 to 6.5.0a Build 4887370 looked, right after the 1 minute download/patch.

Yep, it worked! This is called the DCUI, using Supermicro's iKVM HTML5 UI to show you what my console looked like after the patch & reboot.

ESXi Host client view of Build 5224529.

That's it! When the reboot is complete, you'll see for yourself that you now have the latest ESXi, Build 5224529, as pictured above. Now you have more spare time to read more TinkerTry articles!

Depending upon your ESXi firewall configuration, if the above command results in a network related error such as:

'NoneType' object has no attribute 'close'

then you skipped the firewall configuration step above, try again! Notice that the command recommended you use when clicking on the ESXi-6.5.0-20170304101-standard link at VMware ESXi Patch Tracker: esxcli software profile update -p ESXi-6.5.0-20170304101-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml doesn't work, says:

Message: Host is not changed.

but simply changing from update to install worked for me, but your results may vary. See also the interesting comment below. Using the update parameter doesn't work, as seen above, but using install does.

If you find some of your SATA/AHCI datastores disappear from view after this upgrade, worry not, the VMFS datastores are still there, you just can't see them. This article should still save you:

For ESXi 6.0, those ESXi 5.1 VIBs for ASMedia SATA ports and Realtek NICs still seem to be working (but unsupported)

Mar 04 2015

Alternatively, you could have used VMware Update Manager on a Windows system or VM, but for one-off upgrades typical in a small home lab, pasting these 3 lines of code is pretty darn easy.

Looking ahead, since VUM is now built into VCSA 6.5, this will add another way to do future upgrades and patches, even in a small home lab environment.

How to easily update your VMware vCenter Server Appliance from VCSA 6.5 to 6.5.0a Build 5224934

For ESXi 6.0 users who don't wish to move to 6.5, there are also patches for this issue, but those are not the focus of this article. See:

kb.vmware.com/kb/2149569 Patch ESXi600-201703401-SG: Updates esx-base, vsan, vsanhealth

kb.vmware.com/kb/2149568 Patch Release ESXi600-201703001

It looks like you have JavaScript disabled. Click here to view the video above.

Below, I've pasted the full text of my upgrade, helps you see what drivers were touched, use the horizonal scroll bar or shift + mousewheel to look around, Ctrl+F works as needed too: