VMware ESXi 6.5, Patch Release ESXi650-202403001

Release Date: 05 March, 2024

IMPORTANT:

This patch is only available for Extended Support Customers at https://customerconnect.vmware.com/downloads/#extended_support

What's in the Release Notes

The release notes cover the following topics:

Patch Build Details
Resolved Issues

Build Details

Download Filename:	ESXi650-202403001.zip
Build:	23084120
Download Size:	331.1 MB
md5sum:	d1f815a95cc2ae8d2592fcd5cf72a34f
sha256checksum:	991465ca3e209d2cf8efd15d1d3d25794f293e119496e962d547baf3bca3def1
Host Reboot Required:	Yes
Virtual Machine Migration or Shutdown Required:	Yes

Bulletins

Bulletin ID	Category	Severity
ESXi650-202403401-SG	Security	Critical
ESXi650-202403402-SG	Security	Critical

Rollup Bulletin

This rollup bulletin contains the latest VIBs with all the fixes since the initial release of ESXi 6.5.

Bulletin ID	Category	Severity
ESXi650-202403001	Security	Critical

IMPORTANT: For clusters using VMware vSAN, you must first upgrade the vCenter Server system. Upgrading only ESXi is not supported.
Before an upgrade, always verify in the VMware Product Interoperability Matrix compatible upgrade paths from earlier versions of ESXi, vCenter Server and vSAN to the current version.

Image Profiles

VMware patch and update releases contain general and critical image profiles. Application of the general release image profile applies to new bug fixes.

ESXi-6.5.0-20240304001-standard

ESXi-6.5.0-20240304001-no-tools

For more information about the individual bulletins, see the Download Patches page and the Resolved Issues section.

Patch Download and Installation

The typical way to apply patches to ESXi hosts is by using the VMware vSphere Update Manager. For details, see About Installing and Administering VMware vSphere Update Manager.

ESXi hosts can be updated by manually downloading the patch ZIP file from VMware Customer Connect. Navigate to Products and Accounts > Product Patches. From the Select a Product drop-down menu, select ESXi (Embedded and Installable) and from the Select a Version drop-down menu, select 6.5.0. Install VIBs by using the esxcli software vib update command. Additionally, the system can be updated by using the image profile and the esxcli software profile update command. For more information, see vSphere Command-Line Interface Concepts and Examples and vSphere Upgrade Guide.

Resolved Issues

The resolved issues are grouped as follows.

ESXi650-202403401-SG
ESXi650-202403402-SG

ESXi-6.5.0-20240304001-standard

ESXi-6.5.0-20240304001-no-tools

ESXi650-202403401-SG

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_vsan_6.5.0-3.199.22695722 VMware_bootbank_vsanhealth_6.5.0-3.199.22695723 VMware_bootbank_esx-tboot_6.5.0-3.199.23084120 VMware_bootbank_esx-base_6.5.0-3.199.23084120
PRs Fixed	N/A
Related CVE numbers	CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

This patch updates vsan, vsanhealth, esx-tboot, and esx-base VIBs to resolve the following issue:

This release resolves CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2024-0006.

ESXi650-202403402-SG

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_xhci-xhci_1.0-3vmw.650.3.199.23084120
PRs Fixed	N/A
Related CVE numbers	CVE-2024-22252

Updates the xhci VIB to resolve the following issue:

This release resolves CVE-2024-22252. For more information on this vulnerability and its impact on VMware products, see VMSA-2024-0006.

ESXi-6.5.0-20240304001-standard

Profile Name	ESXi-6.5.0-20240304001-standard
Build	For build information, see the top of the page.
Vendor	VMware by Broadcom, Inc.
Release Date	March 05, 2024
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsan_6.5.0-3.199.22695722 VMware_bootbank_vsanhealth_6.5.0-3.199.22695723 VMware_bootbank_esx-tboot_6.5.0-3.199.23084120 VMware_bootbank_esx-base_6.5.0-3.199.23084120 VMW_bootbank_xhci-xhci_1.0-3vmw.650.3.199.23084120
PRs Fixed	N/A
Related CVE numbersN/A	CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

This patch updates the following issue:

This release resolves CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2024-0006.

ESXi-6.5.0-20240304001-no-tools

Profile Name	ESXi-6.5.0-20240304001-no-tools
Build	For build information, see the top of the page.
Vendor	VMware by Broadcom, Inc.
Release Date	March 05, 2024
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsan_6.5.0-3.199.22695722 VMware_bootbank_vsanhealth_6.5.0-3.199.22695723 VMware_bootbank_esx-tboot_6.5.0-3.199.23084120 VMware_bootbank_esx-base_6.5.0-3.199.23084120 VMW_bootbank_xhci-xhci_1.0-3vmw.650.3.199.23084120
PRs Fixed	N/A
Related CVE numbers	CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

This patch updates the following issue:

This release resolves CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2024-0006.

Known Issues from Previous Releases

To view a list of previous known issues, click here.

The earlier known issues are grouped as follows.

Upgrade Issues
vSphere vMotion Issues
Storage Issues

Upgrade Issues

Upgrades to ESXi650-202007001 might fail due to the replacement of an expired digital signing certificate and key
Upgrades to ESXi650-202007001 from some earlier versions of ESXi might fail due to the replacement of an expired digital signing certificate and key. If you use ESXCLI, you see a message Could not find a trusted signer. If you use vSphere Update Manager, you see a message similar to cannot execute upgrade script on host.

Workaround: For more details on the issue and workaround, see VMware knowledge base article 76555.
Upgrades to ESXi 7.x from esxi650-202102001 by using ESXCLI might fail due to a space limitation
Upgrades to ESXi 7.x from esxi650-202102001 by using the esxcli software profile update or esxcli software profile install ESXCLI commands might fail, because the ESXi bootbank might be less than the size of the image profile. In the ESXi Shell or the PowerCLI shell, you see an error such as:
```
 [InstallationError]
 The pending transaction requires 244 MB free space, however the maximum supported size is 239 MB.
 Please refer to the log file for more details.
```
The issue also occurs when you attempt an ESXi host upgrade by using the ESXCLI commands esxcli software vib update or esxcli software vib install.

Workaround: You can perform the upgrade in two steps, by using the esxcli software profile update command to update ESXi hosts to ESXi 6.7 Update 1 or later, and then update to 7.x. Alternatively, you can run an upgrade by using an ISO image and the vSphere Lifecycle Manager.

vSphere vMotion Issues

PR 2467075: Due to unavailable P2M slots during migration by using vSphere vMotion, virtual machines might fail with purple diagnostic screen or power off
Memory resourcing for virtual machines that require more memory, such as 3D devices, might cause an overflow of the P2M buffer during migration by using vSphere vMotion. As a result, shared memory pages break. The virtual machine fails with a purple screen or power off. You might see an error message similar to P2M reservation failed after max retries.

Workaround: Follow the steps described in VMware knowledge base article 76387 to manually configure the P2M buffer.

Storage Issues

PR 2511839: Faulty hardware acceleration implementation on SSDs on a VMFS datastore might lead to VMFS metadata inconsistencies and data integrity issues
VMFS datastores rely on hardware acceleration that the vSphere API for Array Integration provides to achieve zeroing of blocks to isolate virtual machines and promote security. Some SSDs advertise support for hardware acceleration and specifically for the WRITE SAME (Zero) SCSI operation for zeroing blocks. VMFS metadata also relies on blocks being zeroed before use. However, some SSDs do not zero blocks as expected, but complete WRITE SAME requests with GOOD status. As a result, ESXi considers non-zeroed blocks as zeroed, which causes VMFS metadata inconsistencies and data integrity issues. To avoid such data inconsistency issues, that are critical to the normal operation of the vCenter Server system and data availability, WRITE SAME (Zero) operations are disabled by default for local SSDs as of ESX 7.0. As a consequence, certain operations on VMFS datastores might slow down.

Workaround: You can turn on WRITE SAME (Zero) SCSI operations by using the following ESXCLI command:
esxcli storage core device vaai status set -d -Z 1
For example: esxcli storage core device vaai status set -d naa.55cd2e414fb3c242 -Z 1
If you see performance issues with VMFS datastores, confirm with vendors if SSDs with hardware acceleration can actually support WRITE SAME (Zero) SCSI operations.

To collapse the list of previous known issues, click here.