Install VMware VCSA Security Patches

As we have detailed on previous posts, VMware is committed to using Photon OS in just about all the appliances that are being deployed with various products now. The new vCenter Server appliance is a case in point to that.  Since Photon OS is a custom built OS from VMware, they can achieve a much more aggressive patch/support schedule. This is a great change from a security perspective as historically, VCSA patches when running on SuSE were not released that often.  VMware has documented in their security response policy that patch releases will be based on the vulnerability severity.  Let’s take a look at how to install VMware VCSA vCenter appliance Photon OS security patches.

Install VMware VCSA Security Patches GUI

The method that most will be familiar with in patching a VCSA appliance is from the GUI interface.  We can get to the Update functionality by browsing out to the VAMI interface https://<your vcenter IP>:5480.  Choose the Update menu option.

VCSA patch login to VAMI

Select the Update option.

VCSA VAMI GUI patch install

Under the Check Updates menu, click the Check Repository option.  This will pull updates from the online VCSA update repository.

Check online repository for patches updates

As shown below, the 6.5.0.10100 Build Number 6671409 update is available.  We can choose to Install All Updates.

Choose to Install All Updates

We will be presented with the EULA for the update.  Click the Accept button.

Accept the End User License Agreement

You can choose whether or not you want to join the CEIP program by checking or unchecking the box.  Then click the Install button.

Configure the CEIP options

The patches are staged for installation.

VCSA patch GUI start staging patches

The update process runs a few pre-install scripts.  You can select the Show Details button to reveal the specifics of the process.

Update GUI pre-install scripts running

The packages will begin updating after the pre-install scripts run.

Package updates start on VCSA appliance

After the update is finished, you will see the message that a reboot is required to complete installation.

Security patches applied successfully reboot pending

If we go back to the Update menu, we will see the current build number is showing now, however, we still see the reboot directive.

Current build shown reboot

We can easily reboot from the VAMI interface, by going to the Summary tab and selecting the Rebootoption.

VAMI Summary tab select reboot

Select Yes on the reboot the system directive.

Confirm VCSA reboot

Install VMware VCSA Security Patches Command Line

A very easy and powerful way to install patches to VMware VCSA appliance is by using the command line.  We can pull the updates directly from the VMware online repository as well.  We can find the URL for patching from the online repository by logging into the VCSA VAMI interface https://<your vcenter IP>:5480 and choosing Update >> Settings.  Under the Repository Settings you will see the URL for the online repository.  We can copy that and use it from the command line.

Get the Default Repository URL for updating

Login via SSH to your VCSA appliance.  Make sure your shell is set to the default appliance shell.  We will use the software-packages install –url command to stage and install the patches.  We use the URL we copied from the VAMI interface Update settings.

Pull patches from the online default patch repository

We will see the EULA presented from the command line.  You can also use the following command to accept the EULAs automatically:

1 2	software-packages install --url --acceptEulas

Accept the license agreement

After the EULA, we type out yes to the “Do you accept the terms and conditions?” question.

Type yes at the license agreement

VCSA 6.5 patches are applied reboot system

Enter the shutdown reboot command with reason

After the reboot of the VCSA 6.5 appliance, we will have the latest patches/security patches installed.