Release Date: OCT 24, 2019

Build Details

Download Filename:	ESXi650-201910001.zip
Build:	14874964
Download Size:	320.9 MB
md5sum:	56c9f3ec818ecd92ace80216abf0bd67
sha1checksum:	268be99dbc160a0c36b8234d413223969515e875
Host Reboot Required:	Yes
Virtual Machine Migration or Shutdown Required:	Yes

Bulletins

Bulletin ID	Category	Severity
ESXi650-201910401-SG	Security	Important

Rollup Bulletin

This rollup bulletin contains the latest VIBs with all the fixes since the initial release of ESXi 6.5.

Bulletin ID	Category	Severity
ESXi650-201910001	Security	Important

Image Profiles

VMware patch and update releases contain general and critical image profiles. Application of the general release image profile applies to new bug fixes.

Image Profile Name

ESXi-6.5.0-20191004001-standard

ESXi-6.5.0-20191004001-no-tools

For more information about the individual bulletins, see the Download Patches page and the Resolved Issues section.

Patch Download and Installation

The typical way to apply patches to ESXi hosts is through the VMware vSphere Update Manager. For details, see the About Installing and Administering VMware vSphere Update Manager.

ESXi hosts can be updated by manually downloading the patch ZIP file from the VMware download page and installing the VIB by using the esxcli software vib command. Additionally, the system can be updated using the image profile and the esxcli software profile command.

For more information, see the vSphere Command-Line Interface Concepts and Examples and the vSphere Upgrade Guide.

Resolved Issues

The resolved issues are grouped as follows.

ESXi650-201910401-SG
ESXi-6.5.0-20191004001-standard
ESXi-6.5.0-20191004001-no-tools

ESXi650-201910401-SG

Patch Category	Security
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_esx-tboot_6.5.0-3.105.14874964 VMware_bootbank_vsan_6.5.0-3.105.14404766 VMware_bootbank_vsanhealth_6.5.0-3.105.14404767 VMware_bootbank_esx-base_6.5.0-3.105.14874964
PRs Fixed	2374268, 2417371, 2395058
Related CVE numbers	N/A

ESXi contains a denial-of-service vulnerability in the shader functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5536 to this issue. See VMSA-2019-0019 for further information.
PR 2374268: Upgrading NSX-T fails with an error that VSIP filters are not cleared
Upgrading NSX-T might fail with a message similar to Error Exception: VSIP Filters not cleared. In addition, the output of the summarize-dvfilter command is truncated with an exception, such as:
Filters: world 0 <no world> ... port 83886085 vmk50 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid Traceback (most recent call last): File "/sbin/summarize-dvfilter", line 47, in <module> worldName = vmware.vsi.get(os.path.join('/world', worldID, 'name')) Exception: Invalid world
The issue is due to stale container filters that remain after migrating virtual machines by using vSphere vMotion.

This issue is resolved in this release.
PR 2417371: ESXi 6.5 Update 3 hosts take long to complete tasks such as exit maintenance mode
In some cases, ESXi hosts running ESXi 6.5 Update 3 might take long to complete tasks such as entering or exiting maintenance mode or connecting to a vCenter Server system. The delay in response might take up to 30 min. This happens when the CIM service tries to refresh periodically the storage and numeric sensors data under a common lock, causing the hostd threads to wait for response.

This issue is resolved in this release. The fix uses a different lock to refresh the sensors data for the CIM service to avoid other threads from waiting for the common lock to get released.

ESXi-6.5.0-20191004001-standard

Profile Name	ESXi-6.5.0-20191004001-standard
Build	For build information, see the top of the page.
Vendor	VMware, Inc.
Release Date	October 24, 2019
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-tboot_6.5.0-3.105.14874964 VMware_bootbank_vsan_6.5.0-3.105.14404766 VMware_bootbank_vsanhealth_6.5.0-3.105.14404767 VMware_bootbank_esx-base_6.5.0-3.105.14874964
PRs Fixed	2374268, 2417371, 2395058
Related CVE numbers	N/A

This patch updates the following issues:
- ESXi contains a denial-of-service vulnerability in the shader functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5536 to this issue. See VMSA-2019-0019 for further information.
- Upgrading NSX-T might fail with a message similar to Error Exception: VSIP Filters not cleared. In addition, the output of the summarize-dvfilter command is truncated with an exception, such as:
  Filters: world 0 <no world> ... port 83886085 vmk50 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid Traceback (most recent call last): File "/sbin/summarize-dvfilter", line 47, in <module> worldName = vmware.vsi.get(os.path.join('/world', worldID, 'name')) Exception: Invalid world
  The issue is due to stale container filters that remain after migrating virtual machines by using vSphere vMotion.
- In some cases, ESXi hosts running ESXi 6.5 Update 3 might take long to complete tasks such as entering or exiting maintenance mode or connecting to a vCenter Server system. The delay in response might take up to 30 min. This happens when the CIM service tries to refresh periodically the storage and numeric sensors data under a common lock, causing the hostd threads to wait for response.

ESXi-6.5.0-20191004001-no-tools

Profile Name	ESXi-6.5.0-20191004001-no-tools
Build	For build information, see the top of the page.
Vendor	VMware, Inc.
Release Date	October 24, 2019
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-tboot_6.5.0-3.105.14874964 VMware_bootbank_vsan_6.5.0-3.105.14404766 VMware_bootbank_vsanhealth_6.5.0-3.105.14404767 VMware_bootbank_esx-base_6.5.0-3.105.14874964
PRs Fixed	2374268, 2417371, 2395058
Related CVE numbers	N/A

This patch updates the following issues:
- ESXi contains a denial-of-service vulnerability in the shader functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5536 to this issue. See VMSA-2019-0019 for further information.
- Upgrading NSX-T might fail with a message similar to Error Exception: VSIP Filters not cleared. In addition, the output of the summarize-dvfilter command is truncated with an exception, such as:
  Filters: world 0 <no world> ... port 83886085 vmk50 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid Traceback (most recent call last): File "/sbin/summarize-dvfilter", line 47, in <module> worldName = vmware.vsi.get(os.path.join('/world', worldID, 'name')) Exception: Invalid world
  The issue is due to stale container filters that remain after migrating virtual machines by using vSphere vMotion.
- In some cases, ESXi hosts running ESXi 6.5 Update 3 might take long to complete tasks such as entering or exiting maintenance mode or connecting to a vCenter Server system. The delay in response might take up to 30 min. This happens when the CIM service tries to refresh periodically the storage and numeric sensors data under a common lock, causing the hostd threads to wait for response.

Known Issues from Previous Releases

To view a list of previous known issues, click here.

The earlier known issues are grouped as follows.

Miscellaneous Issues

Miscellaneous Issues

Мanually triggering a non-maskable interrupt (NMI) might not work оn a vCenter Server system with an AMD EPYC 7002 series processor
Requesting an NMI from the hardware management console (BMC) or by pressing a physical NMI button should cause ESXi hosts to fail with a purple diagnostic screen and dump core. Instead, nothing happens and ESXi continues running.

Workaround: Disable the use of the interrupt remapper by setting the kernel boot option iovDisableIR to TRUE:
1. Set iovDisableIR=TRUE by using this command: # esxcli system settings kernel set -s iovDisableIR -v TRUE
2. Reboot the ESXi host.
3. After the reboot, verify that iovDisableIR is set to TRUE: # esxcli system settings kernel list |grep iovDisableIR.
Do not apply this workaround unless you need it to solve this specific problem.
A virtual machine that has a PCI passthrough device assigned to it might fail to power on in a vCenter Server system with an AMD EPYC 7002 series processor
In specific vCenter Server system configurations and devices, such as AMD EPYC 7002 series processors, a virtual machine that has a PCI passthrough device assigned to it might fail to power on. In the vmkernel log, you can see a similar message:
4512 2019-08-06T06:09:55.058Z cpu24:1001397137)AMDIOMMU: 611: IOMMU 0000:20:00.2: Failed to allocate IRTE for IOAPIC ID 243 vector 0x3f 4513 2019-08-06T06:09:55.058Z cpu24:1001397137)WARNING: IOAPIC: 1238: IOAPIC Id 243: Failed to allocate IRTE for vector 0x3f

Workaround: Disable the use of the interrupt remapper by setting the kernel boot option iovDisableIR to TRUE:
1. Set iovDisableIR=TRUE by using this command: # esxcli system settings kernel set -s iovDisableIR -v TRUE
2. Reboot the ESXi host.
3. After the reboot, verify that iovDisableIR is set to TRUE: # esxcli system settings kernel list |grep iovDisableIR.
Do not apply this workaround unless you need it to solve this specific problem.

To collapse the list of previous known issues, click here.