Updating VMware tools on ESXi 7.0 host using VMware Lifecycle Manager

There was recent VMware local privilege escalation vulnerability in VMware tools below 11.2.6 and below. See VMware advisors VMSA-2021-0013 (vmware.com).

The vunerablity has been fixed in VMware tools version 11.3

VMware Tools 11.3.0 Release Notes

We needed to update the version of VMware tools running manually as the tools are not currently included in any other of our standard baselines we apply to our hosts.

I decided to do a to a post on how to update the version of VMware tools using VMware Lifecycle manager baseline as it a little bit different than VMware Update Manager.

First we need to go to Lifecycle Manager, open the vSphere web console > Menu > Lifecycle Manager

In Lifecycle manager the tools should be synced as previously in VMware Update Manager the tools need to be manually uploaded.

To quickest way I find to check the latest tools have been synced is by click on image depot and select components.

We could also check under updates and turn off show only rollup updates. (If the tools required a reboot it would show under impact)

Next we will create a baseline to apply the latest tools.

Go to baselines and select new baseline.

Give the baseline a name and select patch

Untick Automatically update this baseline

Untick show only rollup updates and filter for VMware tools, there will probable be a different VMware tools for 6.x and 7.x so check before adding to the baseline.

Click next and complete the baseline creation.

We can check the current tools status by going to the esxi host > Updates > VMware tools and check status.

We can now apply the baseline and run the check again and it should show as out of date.

The baseline can be applied either directly to the ESXi host or to the cluster we will be applying to the cluster as it save time having to apply to each host indiduvally .

Go to the cluster > Updates > attach and select attached baseline.

Select the VMware tools baseline and attach.

Next run a compliance check on the ESXi host.

Check the baseline status.

Next we will remediate the baseline to apply the latest tools.

If there are no issue with the pre-check click remediate.

Once the remediation is done the tools should show as compliant.

Once applied the VM should now pickup that there is a new tools version available.

The tools can now be applied to the VM either using a script, update on reboot or manually.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s