VMware released a new security patch for the vCSA's operating system Photon - vCenter Server 6.5 U1f build number 7801515 - against two vulnerabilities related to Meltdown and Spectre issues.
The new patch vCenter Server 6.5 U1f fixes the bounds-check bypass (Spectre-1, CVE-2017-5753) and rogue data cache load issues (Meltdown, CVE-2017-5754). For branch target injection vulnerability (Spectre-2, CVE-2017-5715) there is still no patch instead.
The updated packages are the following:
- linux 4.4.110-2
- libgcrypt 1.7.6-3
- c-ares 1.12.0-2
- ncurses 6.0-8
- libtasn1 4.12-1
- wget 1.18-3
- procmail 3.22-4
- rsync 3.1.2-4
- apr 1.5.2-7
Also the VMware security advisory VMSA-2018-0007.1 has been updated with all virtual appliances updates for Spectre and Meltdown vulnerabilities and currently the only patches available are for vCenter Server Appliance (6.5 U1f) and for vSphere Integrated Containers (version 1.3.1).
Update to vCenter Server 6.5 U1f
To proceed with the update of the vCSA, you have to access the management console of the appliance by entering the correct credentials then click Login.
Navigate to Update area and click Check Updates > Check Repository to check for new updates availability.
When the new update has been detected, click Install > Install All Updates to proceed with the update.
Click Accept to accept the EULA.
Click Install to begin the installation.
The patch is being installed in the vCSA.
When the installation has completed successfully, click OK to reboot the appliance.
The appliance reboots to apply the changes.
After the vCSA reboot, the patching process is complete. Build number is now reported as 7801515.
The update is currently available from the repository only.