Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
4
Replies

Upgrade path to fix CVE on an ESXi with a Cisco Custom Image

battagls
Level 1
Level 1

‎06-05-2024 03:52 AM

Hello.

I our Organization we have Cisco UCS C240 M5S servers with these sw installed:

  • Firmware Version: 4.2(3i)
  • ESXi Version: 7.0 Update 3i

Currently the latest custom version of ESXi 7.0 available for download is 7.0 Update 3o (File name: "VMware-ESXi-7.0.3o-22348816-Custom-Cisco-4.3.2-a.1").

Meanwhile, vulnerabilities with high severity have been published: these vulnerabilities are fixed in the ESXi 7.0 Update 3q (no Custom) version. As written earlier the latest Cisco Custom version is Update 3o, which is earlier than the image that fixes the vulnerabilities.

I have read in other threads that it is possible to update an ESXi with Custom Image with a non-Custom image.

At this point my question is, what is the upgrade path I need to follow to fix my ESXi servers?

I was thinking of a path like this:

  1. Update fw: Update firmware from version 4.2(3i) to the latest released, 4.3(2.240053) 
  2. Update ESXi: Update ESXi from Cisco Custom version 7.0 Update 3i to non-Custom version 7.0 Update 3q
  3. Update drivers: Update ESXi driver with Cisco Addon for ESXi 7.0 U3o

Based on your experience, do you think this path is correct?

Finally, once I have upgraded the ESXi with a non-Custom version can I upgrade the ESXi with a Custom version?

Thank you.

Regards.

Sergio

1 person had this problem
0 Helpful
4 Replies 4

Riaan van Niekerk
Level 1
Level 1

‎06-06-2024 04:52 AM - edited ‎06-06-2024 04:53 AM

Hi there Sergio. You refer to custom image. There are 2 custom distribution mechanisms for ESXi:

  1. Vendor custom ISO, can be used for installation only
  2. Vendor custom offline bundle (.zip) which should be used for upgrades.

Are you still using the (deprecated in vSphere 8.0) vLCM baselines and baseline group based, or have you switched to using vLCM Image-based updates, the Cisco vendor add-on).

0 Helpful

battagls
Level 1
Level 1
In response to Riaan van Niekerk

‎06-06-2024 08:28 AM

Hello.

Thank you for your response.
No, we don't use vLCM: we have few servers in our environment, and last time I did the server upgrade by uploading the ISO via CIMC.
To install this update I was thinking to use the offline bundle (.zip file) by installing the package via CLI.

0 Helpful

Riaan van Niekerk
Level 1
Level 1

‎06-08-2024 02:38 AM

Your upgrade plan seems sound. The only change I would make is, If you cannot upgrade server firmware at the same time as drivers and ESXi (e.g. have the firmware upgrade pending on next reboot), I would strongly recommend that you upgrade drivers first (with / without ESXi) before upgrading server firmware. 

In our experience over the past decade plus, newer drivers with older server firmware do not cause an issue. 

What you want to avoid is your scenario, running newer server firmware (e.g. 4.3.x) with drivers that have been certified with 4.2.x server firmware.

0 Helpful

Riaan van Niekerk
Level 1
Level 1

‎06-08-2024 08:47 AM - edited ‎06-08-2024 08:48 AM

(deleted)

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card