June 2022: VMware Releases ESXi 6.7/7.0 Critical Patch Updates

See VMware / Broadcom Notes/Links below for both ESXi 6.7 and 7.0 June 2022 Critical Security Update Releases:

Critical:  VMware ESXi 7.0 Update 3d Release Notes

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3d-release-notes.html

Critical:  VMware ESXi 6.7, Patch Release ESXi670-202206001

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202206001.html#esxi670-202206401-bg-resolved

What's in the Release Notes

This release includes mitigations for CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166. For more information on these vulnerabilities including impacted product suites and release lines, please see: VMSA-2022-0016.

Build Details

Bulletins

Rollup Bulletin

This rollup bulletin contains the latest VIBs with all the fixes since the initial release of ESXi 6.7.

IMPORTANT: For clusters using VMware vSAN, you must first upgrade the vCenter Server system. Upgrading only the ESXi hosts is not supported.
Before an upgrade, always verify in the VMware Product Interoperability Matrix compatible upgrade paths from earlier versions of ESXi, vCenter Server and vSAN to the current version.

Image Profiles

VMware patch and update releases contain general and critical image profiles. Application of the general release image profile applies to new bug fixes.

For more information about the individual bulletins, see the Product Patches page and the Resolved Issues section.

Patch Download and Installation

The typical way to apply patches to ESXi hosts is by using the VMware vSphere Update Manager. For details, see the About Installing and Administering VMware vSphere Update Manager.
ESXi hosts can be updated by manually downloading the patch ZIP file from VMware Customer Connect. From the Select a Product drop-down menu, select ESXi (Embedded and Installable) and from the Select a Version drop-down menu, select 6.7.0. Install VIBs by using the esxcli software vib update command. Additionally, you can update the system by using the image profile and the esxcli software profile update command.

For more information, see the vSphere Command-Line Interface Concepts and Examples and the vSphere Upgrade Guide.

Resolved Issues

The resolved issues are grouped as follows.

• ESXi670-202206401-BG
• ESXi670-202206402-BG
• ESXi670-202206101-SG
• ESXi670-202206102-SG
• ESXi670-202206103-SG
• ESXi-6.7.0-20220604001-standard
• ESXi-6.7.0-20220604001-no-tools
• ESXi-6.7.0-20220601001s-standard
• ESXi-6.7.0-20220601001s-no-tools

ESXi670-202206401-BG

Updates esx-base, esx-update, vsan, and vsanhealth VIBs to resolve the following issues:

• PR 2891724:  You might see spikes in the latency performance metrics after a virtual machine disk snapshot is created

After you create a virtual machine disk snapshot, you might see latency spikes in the vSphere performance charts. Such unusual spikes are due to the recreation of some internal system objects and the restart of the latency performance counters in the storage subsystem.

This issue is resolved in this release. The fix prevents false latency alarms after virtual machine disk snapshots.

• PR 2966100: Failed asynchronous tasks run by a VASA provider might cause the VMX or hostd services to fail as well

The response of certain asynchronous task run by a VASA provider, such as prepareToSnapshot and createVirtualVolume, might not return sufficient error details for the task in case of failure. As a result, the VMX or hostd services might fail intermittently with a core dump.

This issue is resolved in this release.

• PR 2888739: You cannot create a host profile from an ESXi host that uses a hardware iSCSI adapter with pseudo NICs

If a hardware iSCSI adapter on an ESXi host in your environment uses pseudo NICs, you might not be able to create a host profile from such a host since pseudo NICs do not have the required PCI address and vendor name for a profile.

This issue is resolved in this release. For pseudo NICs, the fix removes the requirement for PCI address and PCI vendor name values.

• PR 2919514: LUN trespasses might occur on Dell EMC Unity arrays upon shutdown or booting of ESXi 6.7 hosts

After a controlled shutdown or booting of any server in a cluster of ESXi servers attached to a Dell EMC Unity array, all LUNs to which that server has access might trespass to one storage processor on the array. As a result, performance of the other ESXi servers accessing the LUNs aggravates.

This issue is resolved in this release. The fix adds a check before activating the last path on the target during the shutdown phase to prevent LUN trespassing.

• PR 2931457: The vSphere Replication service fails to start on a vCenter Server system due to error in the installation of the vmware-hbr-agent VIB

You might not be able to start the vSphere Replication service on a vCenter Server system and see errors such as Error connecting to proxy: [<FQDN of vCenter Server>, '80'] in the /var/run/log/esxupdate.log on ESXi hosts. The issue occurs when the vSphere Replication Management Server fails to install the vmware-hbr-agent VIB on all ESXi hosts due to an incorrect proxy request header sent by ESXi.

This issue is resolved in this release.

• PR 2916330: Many simultaneous ESXCLI calls might cause a deadlock in the hostd service

In certain environments, more than 15 parallel ESXCLI calls might cause a deadlock in the hostd service. As a result, hostd becomes intermittently unresponsive on different ESXi hosts.

This issue is resolved in this release.

• PR 2819598: A routine operation to extend a disk on a powered on VM might fail with an invalid state error

A routine operation to extend a disk on a powered on VM might fail with a message such as Error: The attempted operation cannot be performed in the current state ("Powered on"). The issue occurs in rare cases, when the hostd service might wrongly interpret a simple disk extend request as a request to change the virtual disk backing. As a result, the request fails with an InvalidPowerState error.

This issue is resolved in this release.

• PR 2931040: Virtual machines on NFSv4.1 datastores become unresponsive for few seconds during storage failover

In rare cases, when an NFSv4.1 server returns a transient error during storage failover, you might see virtual machines to become unresponsive for 10 seconds before the operation restarts.

This issue is resolved in this release. The fix reduces wait time for recovery during storage failover.

• PR 2911524: Multiple ESXi hosts drop syslog messages

In rare cases, the vmsyslog service might rotate logs in an older version of the /etc/vmsyslog.conf file. As a result, you see multiple ESXi hosts drop syslog messages.

This issue is resolved in this release.

• PR 2911321: You see status Unknown for sensors of type System Event in the hardware health monitoring screen in the vSphere Client

The hardware health module of ESXi might fail to decode some sensors of the type System Event when a physical server is rebranded. As a result, in the vSphere Client you see status Unknown for sensors of type System Event under Monitor > Hardware Health.

This issue is resolved in this release.

• PR 2919813: If a virtual machine has Changed Block Tracking (CBT) enabled, snapshot operations might take longer than usual

If a virtual machine has CBT enabled, virtual machines might become unresponsive longer than usual during snapshot operations while VMFS allocates resources to create the change tracking file for the delta disk.

This issue is resolved in this release.

• PR 2905924: An ESXi host might fail with a purple diagnostic screen due to a race condition in container ports

Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off or migrate by using vSphere vMotion. The issue occurs due to duplicating port IDs.

This issue is resolved in this release.

• PR 2904032: ESXi hosts might fail with a purple diagnostic screen when I/O operations run on a software iSCSI adapter

I/O operations on a software iSCSI adapter might cause a rare race condition inside the iscsi_vmk driver. As a result, ESXi hosts might intermittently fail with a purple diagnostic screen.

This issue is resolved in this release.

ESXi670-202206102-SG

Updates the tools-light VIB to resolve the following issues:

• The following VMware Tools ISO images are bundled with ESXi 670-2022060001:
• windows.iso: VMware Tools 12.0.0 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
• linux.iso: VMware Tools 10.3.23 ISO image for Linux OS with glibc 2.11 or later.

The following VMware Tools ISO images are available for download:

• VMware Tools 11.0.6:
• windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
  
• VMware Tools 10.0.12:
• winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
• linuxPreGLibc25.iso: supports Linux guest operating systems earlier than Red Hat Enterprise Linux (RHEL) 5, SUSE Linux Enterprise Server (SLES) 11, Ubuntu 7.04, and other distributions with glibc version earlier than 2.5.
  
• solaris.iso: VMware Tools image 10.3.10 for Solaris.
• darwin.iso: Supports Mac OS X versions 10.11 and later.

Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:

• VMware Tools 12.0.0 Release Notes
• Earlier versions of VMware Tools
• What Every vSphere Admin Must Know About VMware Tools
• VMware Tools for hosts provisioned with Auto Deploy
• Updating VMware Tools

ESXi670-202206103-SG

Updates the cpu-microcode VIB to resolve the following issues:

The cpu-microcode VIB includes the following Intel microcode:

ESXi670-202206001 includes the following AMD microcode:

ESXi-6.7.0-20220604001-standard

Profile NameESXi-6.7.0-20220604001-standardBuildFor build information, see Patches Contained in this Release.VendorVMware, Inc.Release DateJune 14, 2022Acceptance LevelPartnerSupportedAffected HardwareN/AAffected SoftwareN/AAffected VIBs

• VMware_bootbank_esx-update_6.7.0-3.174.19898906
• VMware_bootbank_vsanhealth_6.7.0-3.174.19586332
• VMware_bootbank_vsan_6.7.0-3.174.19589650
• VMware_bootbank_esx-base_6.7.0-3.174.19898906
• VMware_bootbank_esx-xserver_6.7.0-3.174.19898906
• VMware_locker_tools-light_12.0.0.19345655-19898894
• VMware_bootbank_cpu-microcode_6.7.0-3.170.19898894

PRs Fixed2891724, 2966100, 2888739, 2919514, 2931457, 2916330, 2819598, 2931040, 2911524, 2911321, 2919813, 2905924, 2912214, 2904032Related CVE numbersN/A

• This patch updates the following issues:
• After you create a virtual machine disk snapshot, you might see latency spikes in the vSphere performance charts. Such unusual spikes are due to the recreation of some internal system objects and the restart of the latency performance counters in the storage subsystem.
• The response of certain asynchronous task run by a VASA provider, such as prepareToSnapshot and createVirtualVolume, might not return sufficient error details for the task in case of failure. As a result, the VMX or hostd services might fail intermittently with a core dump.
• If a hardware iSCSI adapter on an ESXi host in your environment uses pseudo NICs, you might not be able to create a host profile from such a host since pseudo NICs do not have the required PCI address and vendor name for a profile.
• After a controlled shutdown or booting of any server in a cluster of ESXi servers attached to a Dell EMC Unity array, all LUNs to which that server has access might trespass to one storage processor on the array. As a result, performance of the other ESXi servers accessing the LUNs aggravates.
• You might not be able to start the vSphere Replication service on a vCenter Server system and see errors such as Error connecting to proxy: [<FQDN of vCenter Server>, '80'] in the /var/run/log/esxupdate.log on ESXi hosts. The issue occurs when the vSphere Replication Management Server fails to install the vmware-hbr-agent VIB on all ESXi hosts due to an incorrect proxy request header sent by ESXi.
• In certain environments, more than 15 parallel ESXCLI calls might cause a deadlock in the hostd service. As a result, hostd becomes intermittently unresponsive on different ESXi hosts.
• A routine operation to extend a disk on a powered on VM might fail with a message such as Error: The attempted operation cannot be performed in the current state ("Powered on"). The issue occurs in rare cases, when the hostd service might wrongly interpret a simple disk extend request as a request to change the virtual disk backing. As a result, the request fails with an InvalidPowerState error.
• In rare cases, when an NFSv4.1 server returns a transient error during storage failover, you might see virtual machines to become unresponsive for 10 seconds before the operation restarts.
• In rare cases, the vmsyslog service might rotate logs in an older version of the /etc/vmsyslog.conf file. As a result, you see multiple ESXi hosts drop syslog messages.
• The hardware health module of ESXi might fail to decode some sensors of the type System Event when a physical server is rebranded. As a result, in the vSphere Client you see status Unknown for sensors of type System Event under Monitor > Hardware Health.
• If a virtual machine has CBT enabled, virtual machines might become unresponsive longer than usual during snapshot operations while VMFS allocates resources to create the change tracking file for the delta disk.
• Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off or migrate by using vSphere vMotion. The issue occurs due to duplicating port IDs.
• In rare cases, a serial device on a virtual machine might not have a serial<N>.fileName property and the serial<N>.autodetect property to be set to FALSE. As a result, the hostd service might repeatedly fail.
• I/O operations on a software iSCSI adapter might cause a rare race condition inside the iscsi_vmk driver. As a result, ESXi hosts might intermittently fail with a purple diagnostic screen.

ESXi-6.7.0-20220604001-no-tools

• This patch updates the following issues:
• After you create a virtual machine disk snapshot, you might see latency spikes in the vSphere performance charts. Such unusual spikes are due to the recreation of some internal system objects and the restart of the latency performance counters in the storage subsystem.
• The response of certain asynchronous task run by a VASA provider, such as prepareToSnapshot and createVirtualVolume, might not return sufficient error details for the task in case of failure. As a result, the VMX or hostd services might fail intermittently with a core dump.
• If a hardware iSCSI adapter on an ESXi host in your environment uses pseudo NICs, you might not be able to create a host profile from such a host since pseudo NICs do not have the required PCI address and vendor name for a profile.
• After a controlled shutdown or booting of any server in a cluster of ESXi servers attached to a Dell EMC Unity array, all LUNs to which that server has access might trespass to one storage processor on the array. As a result, performance of the other ESXi servers accessing the LUNs aggravates.
• You might not be able to start the vSphere Replication service on a vCenter Server system and see errors such as Error connecting to proxy: [<FQDN of vCenter Server>, '80'] in the /var/run/log/esxupdate.log on ESXi hosts. The issue occurs when the vSphere Replication Management Server fails to install the vmware-hbr-agent VIB on all ESXi hosts due to an incorrect proxy request header sent by ESXi.
• In certain environments, more than 15 parallel ESXCLI calls might cause a deadlock in the hostd service. As a result, hostd becomes intermittently unresponsive on different ESXi hosts.
• A routine operation to extend a disk on a powered on VM might fail with a message such as Error: The attempted operation cannot be performed in the current state ("Powered on"). The issue occurs in rare cases, when the hostd service might wrongly interpret a simple disk extend request as a request to change the virtual disk backing. As a result, the request fails with an InvalidPowerState error.
• In rare cases, when an NFSv4.1 server returns a transient error during storage failover, you might see virtual machines to become unresponsive for 10 seconds before the operation restarts.
• In rare cases, the vmsyslog service might rotate logs in an older version of the /etc/vmsyslog.conf file. As a result, you see multiple ESXi hosts drop syslog messages.
• The hardware health module of ESXi might fail to decode some sensors of the type System Event when a physical server is rebranded. As a result, in the vSphere Client you see status Unknown for sensors of type System Event under Monitor > Hardware Health.
• If a virtual machine has CBT enabled, virtual machines might become unresponsive longer than usual during snapshot operations while VMFS allocates resources to create the change tracking file for the delta disk.
• Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off or migrate by using vSphere vMotion. The issue occurs due to duplicating port IDs.
• In rare cases, a serial device on a virtual machine might not have a serial<N>.fileName property and the serial<N>.autodetect property to be set to FALSE. As a result, the hostd service might repeatedly fail.
• I/O operations on a software iSCSI adapter might cause a rare race condition inside the iscsi_vmk driver. As a result, ESXi hosts might intermittently fail with a purple diagnostic screen.

ESXi-6.7.0-20220601001s-standard

This patch updates the following issues:

• This release includes mitigations for CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166. For more information on these vulnerabilities including impacted product suites and release lines, please see: VMSA-2022-0016.
• The Expat XML parser is updated to version 2.4.7.
• The SQLite database is updated to version 3.37.2.
• cURL is updated to version 7.81.0.
• The OpenSSL package is updated to version openssl-1.0.2zd.
• The ESXi userworld libxml2 library is updated to version 2.9.13.
• I/O operations on a software iSCSI adapter might cause a rare race condition inside the iscsi_vmk driver. As a result, ESXi hosts might intermittently fail with a purple diagnostic screen.
• windows.iso: VMware Tools 12.0.0 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
• linux.iso: VMware Tools 10.3.23 ISO image for Linux OS with glibc 2.11 or later.

The following VMware Tools ISO images are available for download:

• VMware Tools 11.0.6:
• windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
  
• VMware Tools 10.0.12:
• winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
• linuxPreGLibc25.iso: supports Linux guest operating systems earlier than Red Hat Enterprise Linux (RHEL) 5, SUSE Linux Enterprise Server (SLES) 11, Ubuntu 7.04, and other distributions with glibc version earlier than 2.5.
  
• solaris.iso: VMware Tools image 10.3.10 for Solaris.
• darwin.iso: Supports Mac OS X versions 10.11 and later.

Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:

• VMware Tools 12.0.0 Release Notes
• Earlier versions of VMware Tools
• What Every vSphere Admin Must Know About VMware Tools
• VMware Tools for hosts provisioned with Auto Deploy
• Updating VMware Tools

ESXi-6.7.0-20220601001s-no-tools

This patch updates the following issues:

• This release includes mitigations for CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166. For more information on these vulnerabilities including impacted product suites and release lines, please see: VMSA-2022-0016.
• The Expat XML parser is updated to version 2.4.7.
• The SQLite database is updated to version 3.37.2.
• cURL is updated to version 7.81.0.
• The OpenSSL package is updated to version openssl-1.0.2zd.
• The ESXi userworld libxml2 library is updated to version 2.9.13.
• I/O operations on a software iSCSI adapter might cause a rare race condition inside the iscsi_vmk driver. As a result, ESXi hosts might intermittently fail with a purple diagnostic screen.
• windows.iso: VMware Tools 12.0.0 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
• linux.iso: VMware Tools 10.3.23 ISO image for Linux OS with glibc 2.11 or later.

The following VMware Tools ISO images are available for download:

• VMware Tools 11.0.6:
• windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
  
• VMware Tools 10.0.12:
• winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
• linuxPreGLibc25.iso: supports Linux guest operating systems earlier than Red Hat Enterprise Linux (RHEL) 5, SUSE Linux Enterprise Server (SLES) 11, Ubuntu 7.04, and other distributions with glibc version earlier than 2.5.
  
• solaris.iso: VMware Tools image 10.3.10 for Solaris.
• darwin.iso: Supports Mac OS X versions 10.11 and later.

Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:

• VMware Tools 12.0.0 Release Notes
• Earlier versions of VMware Tools
• What Every vSphere Admin Must Know About VMware Tools
• VMware Tools for hosts provisioned with Auto Deploy
• Updating VMware Tools

Known Issues

The known issues are grouped as follows.

• vSAN Issues
• Known Issues from Prior Releases

vSAN Issues

• PR 2855671: vSAN disk format upgrade fails, objects not upgrading to version 3

When you upgrade host software from 6.0 to 6.0 Update 2, and the vCenter Server software version is 6.7, vSAN disk format upgrade fails. Objects do not upgrade to version 3. When the error occurs, the vSAN upgrade task fails with an error message such as General vSAN error. Disk format conversion failed due to unexpected error. and the host disk group format version remains unchanged.

Workaround: Upgrade the host software to version 6.5 Express Patch 2 or higher and then upgrade the disk format version.

Known Issues from Prior Releases

To view a list of previous known issues, click here.