BLOG


vSphere 5.5 U3b Patch Alert

On the 8th of December, 2015 VMware released a patch to ESXi 5.5 to address the POODLE vulnerability in SSLv3. Their patch disables SSLv3 on the host altogether and only allows the more secure TLS cipher to be used instead. The patch is called ESXi550-201512101-SG and is titled “Updates esx-base” in Update Manager and could cause you problems if you upgrade before vCenter.

If you are already at the vCenter version they released at the same time (vCenter 5.5 U3b) then it is safe to upgrade the hosts to this patch level as communication will continue to work fine over TLS.

However, if you have vCenter below this latest 5.5 Update 3b level and you install the ESXi patch you will not be able to connect to the host in vCenter after the patch is installed and it’s subsequent restart. This is because vCenter will still be trying to communicate to the host via SSLv3 and the host now has it disabled.

If you do install the patch you have two options to enable communication again, either you can re-enable SSLv3 on the host (following the procedure here http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2139396#hostd) or you can upgrade vCenter to 5.5 U3b (the preferred method).

If you are reading this before you install this patch then planning to upgrade to vCenter version 5.5 U3b would be the ideal solution. There are also newer versions of VMware’s other software that uses SSLv3 and these need to be upgraded too, e.g. SRM, vRealize Operations, VMware tools, etc. VMware has an article on the order to upgrade these applications here – http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2057795

Something else to be mindful of is that external applications that communicate with vCenter and ESXi may currently do so with SSLv3, so upgrading to 5.5 U3b may stop this communication from working as TLS support may not be implemented in the application. This is something that can be tested by going into the Advanced Settings of vCenter and disabling SSLv3 in “SSL.Version” setting and restarting vCenter. Testing this on the ESXi host level can be done by this procedure http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2139396#hostd.

Richard Hinder
Richard, is a highly dedicated technician from Perfekt with broad experiences in deployment, administration, scripting and solution architecture in SMB and Enterprise environments. With a high level of quality put into documentation and communication with clients, Richard is always striving to find the best solutions to today’s needs and enjoys keeping up with the latest technologies available. Richard is VMware certified and specialises across backup, ESXi, SRM and HDS Storage. He has a strong focus on technology around the virtualisation, storage, backup, DR/BCP and the server based computing space.

BACK
CONTACT PERFEKT

Need to make an informed decision? Contact a Perfekt specialist to get a free consultation.