check-circle-line exclamation-circle-line close-line

vCenter Server 6.7 Update 3 |  AUG 20 2019 | ISO Build 14367737

vCenter Server Appliance 6.7 Update 3 | AUG 20 2019 | ISO Build 14367737

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New

  • vCenter Server 6.7 Update 3 supports a dynamic relationship between the IP address settings of a vCenter Server Appliance and a DNS server by using the Dynamic Domain Name Service (DDNS). The DDNS client in the appliance automatically sends secure updates to DDNS servers on scheduled intervals.
  • With vCenter Server 6.7 Update 3, you can configure virtual machines and templates with up to four NVIDIA virtual GPU (vGPU) devices to cover use cases requiring multiple GPU accelerators attached to a virtual machine. To use the vMotion vGPU feature, you must set the vgpu.hotmigrate.enabled advanced setting to true and make sure that both your vCenter Server and ESXi hosts are running vSphere 6.7 Update 3.
    vMotion of multi GPU-accelerated virtual machines might fail gracefully under heavy GPU workload due to the maximum switchover time of 100 secs. To avoid this failure, either increase the maximum allowable switchover time or wait until the virtual machine is performing a less intensive GPU workload.
  • With vCenter Server 6.7 Update 3, you can change the Primary Network Identifier (PNID) of your vCenter Server Appliance. You can change the vCenter Server Appliance FQDN or host name, and also modify the IP address configuration of the virtual machine Management Network (NIC 0). For more information, see this VMware blog post.
  • With vCenter Server 6.7 Update 3, if the overall health status of a vSAN cluster is Red, APIs to configure or extend HCI clusters throw InvalidState exception to prevent further configuration or extension. This fix aims to resolve situations when mixed versions of ESXi host in a HCI cluster might cause vSAN network partition.
  • vCenter Server 6.7 adds new SandyBridge microcode to the cpu-microcode VIB to bring SandyBridge security up to par with other CPUs and fix per-VM Enhanced vMotion Compatibility (EVC) support. For more information, see VMware knowledge base article 1003212.

Earlier Releases of vCenter Server 6.7

Features and known issues of vCenter Server are described in the release notes for each release. Release notes for earlier releases of vCenter Server 6.7 are:

For internationalization, compatibility, installation and upgrade, open source components and product support notices see the VMware vCenter Sever 6.7 Update 1 Release Notes.

Upgrade Notes for This Release

Upgrade from vCenter Server 6.7 Update 1a to 6.7 Update 3 is not supported. You must first upgrade to vCenter Server 6.7 Update 1b or 6.7 Update 2, and then patch your system to 6.7 Update 3.

Patches Contained in This Release

This release of vCenter Server 6.7 Update 3 delivers the following patches. See the VMware Patch Download Center for more information on downloading patches.

Security Patch for VMware vCenter Server 6.7 Update 3

Third-party product fixes (for example: JRE, tcServer). This patch is applicable for vCenter Server for Windows, Platform Services Controller for Windows, and vSphere Update Manager.

NOTE: This patch updates only the JRE version 8U212 b31.

For vCenter Server and Platform Services Controller for Windows

Download Filename VMware-VIMPatch-T-6.7.0-14367737.iso
Build 14367737
Download Size 40.7 MB
md5sum a50e2ef2b1da9eac74bf2cc12e3a7b6d
sha1checksum 8d216b132b8bc1a4dc306bd4a41007b6857ed88e

These vCenter Server components depend on JRE and have to be patched:

  • vCenter Server
  • Platform Services Controller
  • vSphere Update Manager

Download and Installation

You can download this patch by going to the VMware Patch Download Center and choosing VC from the Select a Product drop-down menu. 

  1. Mount the VMware-VIMPatch-T-6.7.0-14367737.iso file to the system where the vCenter Server component is installed.  
  2. Double-click  ISO_mount_directory/autorun.exe.
  3. In the vCenter Server Java Components Update wizard, click Patch All.

Full Patch for VMware vCenter Server Appliance 6.7 Update 3

Product Patch for vCenter Server Appliance containing VMware software fixes, security fixes, and Third Party Product fixes (for example: JRE and tcServer).

This patch is applicable to the vCenter Server Appliance and Platform Services Controller Appliance.

For vCenter Server and Platform Services Controller Appliances

Download Filename VMware-vCenter-Server-Appliance-6.7.0.40000-14367737-patch-FP.iso
Build 14367737
Download Size 1980.5 MB
md5sum 57c943bd8bfd6580a49ca1e58ecdd382
sha1checksum 7ec1ba261f7bd236803155bad1ec727fa40a63ae

Download and Installation

You can download this patch by going to the VMware Patch Download Center and choosing VC from the Select a Product drop-down menu.

  1. Attach the VMware-vCenter-Server-Appliance-6.7.0.40000-14367737-patch-FP.iso​​ file to the vCenter Server Appliance CD or DVD drive.
  2. Log in to the appliance shell with your root credentials and run the commands given below:
    • To stage the ISO:
      software-packages stage --iso
    • To see the staged content:
      software-packages list --staged
    • To install the staged rpms:
      software-packages install --staged

For more information on using the vCenter Server Appliance shells, see VMware knowledge base article 2100508.

For more information on patching the vCenter Server Appliance, see Patching the vCenter Server Appliance.

For more information on staging patches, see Stage Patches to vCenter Server Appliance.

For more information on installing patches, see Install vCenter Server Appliance Patches.

For issues resolved in this patch see Resolved Issues.

For Photon OS updates, see VMware vCenter Server Appliance Photon OS Security Patches

For more information on patching using the Appliance Management Interface, see Patching the vCenter Server Appliance by Using the Appliance Management Interface.

Resolved Issues

The resolved issues are grouped as follows.

Security Issues
  • Update to the Spring Framework

    The Spring Framework is updated to version 4.3.22.

  • Update to the Apache Tomcat server

    The Apache Tomcat server is updated to version 8.5.38.

  • Upgrade of Eclipse Jetty

    Eclipse Jetty is upgraded to version 9.4.15.v20190215.

  • Update to PostgreSQL

    PostgreSQL is updated to version 9.6.12.

  • Update of the JSON processor package

    The JSON processor package is updated to version 2.9.8.

  • Security vulnerabilities with jQuery version 2.1.4

    The jQuery version 2.1.4 might have security vulnerabilities while performing AJAX calls to Domino agents.

    This issue is resolved in this release. This fix upgrades the versions of jQuery and the jQuery UI.

  • Update to the Apache HTTP Server (httpd)

    Httpd is updated to version 2.4.39 to resolve security issues with identifiers CVE-2019-0211, CVE-2019-2017, and CVE-2019-0215.

  • Update to Apache Struts

    Apache Struts is updated to version 2.5.20.

  • Connecting VMware OVF Tool to a target vCenter Server through a secure web proxy fails

    The OVF Tool supported connections to a vCenter Server target through a regular HTTP proxy but not through a Secure Proxy.

    This issue is resolved in this release. You can connect OVF Tool to a target vCenter Server through a secure web proxy.

  • Update to the Spring Framework


    The Spring Framework is updated to version 4.3.22.

  • After the Active Directory server is temporarily inaccessible, the user and group permissions for the Active Directory domain are removed

    vCenter Server regularly validates users and groups against the Windows Active Directory domain. If an identity is removed, the vCenter Server system removes the permissions associated with it. If the Active Directory server is unreachable during the validation process, the vCenter Server system might incorrectly interpret this as removal of all domain users and groups, and might remove the permissions associated with them.

    This issue is resolved in this release. The fix differentiates between a missing identity and no connection.

  • Update to the Network Time Protocol (NTP) daemon

    The NTP daemon is updated to version 4.2.8p13.

  • Update to OpenSSL

    The OpenSSL package is updated to version openssl-1.0.2r.

  • Update to zlib library

    The zlib library is updated to version 1.2.11.

  • Update to cURL

    cURL is updated to version 7.64.1.

  • Update to Photon OS kernel

    Photon OS kernel is updated to version 4.4.182 to resolve security issues with identifiers CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479.

  • Update to JRE

    Oracle (Sun) JRE is updated to version 8U212 b31.

Networking Issues
  • After an API call to an ESXi host, if a transaction element is not removed, the vpxd service might run out of memory

    In some cases, after an API call to an ESXi host, if a transaction element is not removed, the vpxd service might run out of memory. This issue occurs in large deployments with complex traffic filters configured on distributed virtual port groups.

    This issue is resolved in this release.

  • After you revert to a snapshot, the virtual machine NIC might be incorrectly connected to the vSphere Distributed Switch (VDS)

    If you take a snapshot of a virtual machine when the VM NIC is disconnected from a VDS, reverting to that same snapshot, might result in the VM NIC getting connected to the VDS automatically.

    This issue is resolved in this release.

  • In complex Active Directory environments, you might fail to log in to the vCenter Server system with a NoPermission error

    In environments with complex or slow Active Directory deployments, the Active Directory users might fail to log in to the vCenter Server system with a NoPermission error.

    This issue is resolved in this release.

  • vSphere Distributed Resource Scheduler (DRS) might incorrectly determine that a cluster is imbalanced

    vSphere DRS might incorrectly determine that a cluster is severely imbalanced when the number of failover and non-failover hosts is nearly equal. As a result, DRS frequently triggers vMotion migrations.

    This issue is resolved in this release. For the fix to take effect, you must enable the advanced option ExcludeFailoverHostFromSD to 1, so that you exclude any failover hosts from the calculations performed by DRS to detect if a cluster is balanced or not.

vCenter Server, vSphere Web Client, and vSphere Client Issues
  • The Other hard disks section might disappear from the VM Hardware pane in the vSphere Web Client  

    In the vSphere Web Client, when you select a virtual machine from the vCenter Server inventory, you might not see the Other hard disks section in the VM Hardware pane.

    This issue is resolved in this release. 

  • Disk Bay sensors are categorized as Other devices

    In the vSphere Client, vSphere Web Client, and the VMware Host Client, Disk Bay sensors are categorized as Other devices.

    This issue is resolved in this release. The fix categorizes the Disk Bay sensors under the Storage category.

  • Numbering of firewall rules might unexpectedly change if you reorder the rules

    If you create more than 9 firewall rules in a vCenter Server Appliance and change the order, setting a rule with a double-digit numbering among rules with one-digit numbering, the numbering might change. For instance, if you move a rule with number 10, such as 10 RETURN all -- X.X.X.10 anywhere, to position 2, the numbering might change to 2 RETURN all -- X.X.X.10 anywhere.

    This issue is resolved in this release.

Upgrade Issues
  • Upgrades to vCenter Server to 6.7 Update 2 might fail if transaction recovery is enabled

    Upgrades to vCenter Server to 6.7 Update 2 might intermittently fail if transaction recovery is enabled.

    This issue is resolved in this release. 

  • Your SNMP configuration might not retain after an upgrade of the vCenter Server system

    Your SNMP configuration might not retain after an upgrade of the vCenter Server system.

    This issue is resolved in this release. The fix adds support for exports of the SNMP configuration during an upgrade in the upgradeRunner process. 

  • vCenter Server upgrades might fail due to an unresolved component dependency

    vCenter Server upgrades from version 6.0.x to 6.7.x might intermittently fail due to an unresolved component dependency. You might see an error similar to eam:Export failed due to missing vpxd_connector.ext file.

    This issue is resolved in this release. 

Virtual Machine Management Issues
  • When you turn on the pair-wise imbalance check, DRS might migrate virtual machines even if the cluster seems balanced

    In vCenter Server 6.0 Update 3 and later, if the advanced DRS option CheckPairwiseImbalance is turned on, when DRS detects pair-wise imbalance between two hosts, it continues to do load balancing by migrating virtual machines between the two hosts, even if the cluster seems balanced. A pair-wise imbalance occurs when any two hosts in the cluster have CPU or memory usage difference bigger than the set threshold, which by default is 20%.

    This issue is resolved in this release.

  • In the vSphere Web Client, you cannot set the CPU limit for virtual machines to Unlimited

    When you deploy virtual machines or edit the settings of virtual machines in the vSphere Web Client, the option Maximum: Unlimited that sets the CPU limit for virtual machines to unlimited is not available.

    This issue is resolved in this release. To use the option Maximum: Unlimited in the vSphere Web Client, right-click on a virtual machine and click Edit Settings. In the Virtual Hardware tab, navigate to CPU > Limit and select Maximum: Unlimited from the drop-down menu.

Storage Issues
  • Standalone First Class Disks are not queried and considered for the recomputation of compliance during datastore tag association changes

    In case of a change in the datastore tag associations, the periodic datastore tag change poller task queries for virtual machine and VMDK entities on a particular datastore. Standalone First Class Disks that are not attached to any virtual machine are not queried and considered. As a result, after tag association changes for a datastore, compliance re-computation is not triggered for standalone First Class Disks.

    This issue is resolved in this release. After a change in the tag associations, the First Class Disks on a datastore are identified and compliance is recomputed for them. 

  • You might fail to upload any type of file to a datastore

    When you try to upload a file to a datastore, the operation might fail. You might see a 0% progress for the task in the Recent Tasks pane.

    This issue is resolved in this release.

  • vSphere Storage Distributed Resource Scheduler (vSphere Storage DRS) might not work properly in environments with linked clone virtual machines

    In environments with linked clone virtual machines or virtual machines that have snapshots, vSphere Storage DRS might not work properly. vSphere Storage DRS might make incorrect recommendations, no recommendations to migrate the virtual machines, or migrate them between two datastores in an infinite loop. When vSphere Storage DRS migrates a linked clone virtual machine, an incorrect calculation of the disk size might also cause a full copy of the base disk to be created.

    This issue is resolved in this release.

  • vSphere Storage DRS fails to generate enough migrations with vMotion during ExpandDisk operations and the reconfiguration for the virtual machine might fail

    During ExpandDisk operations, vSphere Storage DRS recommends the migration of some of the existing virtual machines or disks to another datastore to free resources for the new requested capacity. However, vSphere Storage DRS does not include some of the Storage vMotion actions in the final recommendation. As a result, only a part of the required resources are freed up on the current datastore on which the disk is expanded and the ExpandDisk operation fails with a NoDiskSpace error.

    This issue is resolved in this release.

  • Reports for storage usage of virtual machines stop refreshing within a few hours after an ESXi host boots

    Reports for storage usage of virtual machines might stop refreshing within a few hours after an ESXi host boots. This issue is due to an underflow error in calculating the storage refresh duration, resulting in unusually long wait times instead of the intended 105-135 minute window.

    This issue is resolved in this release. Upgrading to vCenter Server 6.7 Update 3 fixes the timing and re-enables periodic refreshes of storage usage reports.

Miscellaneous Issues
  • In an environment with a heavy workload, the VMware Security Token Service (vmware-stsd) might stop responding and cause login failures

    The vmware-stsd service has a fixed amount of allocated memory in the setenv.sh file but the memory size might be insufficient in an environment with a heavy workload. As a result, the vmware-stsd service might stop responding and cause login failures.

    This issue is resolved in this release. The fix dynamically sets the memory allocation for the vmware-stsd service at the start time, based on the size of the deployment.

Guest OS Issues
  • The application to generate computer names and IP addresses in a guest OS customization process might not work properly

    When you implement an application to generate computer names and IP addresses in a guest OS customization process, the operation might fail with an error: Operation timed out.

    This issue is resolved in this release.

  • Static routes of Red Hat virtual machines might be lost after guest OS customization

    If you configure a Red Hat virtual machine with static routes and do guest OS customization, the routes might be deleted from the customized virtual machine.

    This issue is resolved in this release.

Server Configuration Issues
  • You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system

    The ESXi trust store contains a list of Certificate Authority (CA) certificates that are used to build the chain of trust when an ESXi host is the client in a TLS channel communication. The certificates in the trust store must be with a CA bit set: X509v3 Basic Constraints: CA: TRUE. If a certificate without this bit set is passed to the trust store, for example, a self-signed certificate, the certificate is rejected. As a result, you might fail to add an ESXi host to the vCenter Server system.

    This issue is resolved in this release. The fix adds the advanced option Config.HostAgent.ssl.keyStore.allowSelfSigned. If you already face the issue, set this option to TRUE to add a self-signed server certificate to the ESXi trust store.

CLI Issues
  • If during the convergence to a vCenter Server with an embedded Platform Services Controller any certificates or keys in the VMware Endpoint Certificate Store (VECS) contain a forward slash (/), the converge operation fails with an error

    If during the convergence to a vCenter Server with an embedded Platform Services Controller any certificates or keys in the VECS contains a forward slash (/), the converge operation fails with an error in the converge log: Operation failed with error ERROR_FILE_NOT_FOUND.

    This issue is resolved in this release.

CIM and API Issues
  • If you remove an ESXi host that is part of a cluster from the vCenter Server system by using a dcli.com.vmware.vcenter.host.delete REST API, both the host and the parent cluster are removed

    The dcli.com.vmware.vcenter.host.delete REST API removes a standalone ESXi host from the vCenter Server system. However, if an ESXi host is part of a cluster, and you remove the ESXi host from the vCenter Server system by using the dcli.com.vmware.vcenter.host.delete REST API, the parent cluster is also removed from the vCenter Server system.

    This issue is resolved in this release. If you try to remove an ESXi host that is part of a cluster by using the dcli.com.vmware.vcenter.host.delete REST API, an error such as ResourceInUse displays.

Tools Issues
  • The OVF Tool fails with an error during the upload of OVF or ISO files to vCloud Director

    During the upload of OVF or ISO files to vCloud Director, the OVF Tool sends requests with Transfer-Encoding and Content-Length headers together. RFC 7230 is responsible for the rules for the Transfer-Encoding and Content-Length headers. According to RFC 7230, sending both headers is an error condition and the server sends a 400 response: Bad Content-Length. As a result, the OVF Tool fails with an error: Transfer Failed - Error: Failed to send http data.

    This issue is resolved in this release. The fix adds a flag to the OVF Tool, so that the OVF Tool does not send a Content-Length header. When the OVF Tool communicates with vCloud Director, the flag --X:skipContentLength is set to True to make the OVF Tool consistent with RFC 7230.

  • When the flag --noImageFiles is used during an export of a virtual machine or a virtual machine template, the OVF Tool might fail with a segmentation fault

    When you try to export a virtual machine or a virtual machine template with an NVRAM file by using the OVF Tool, and if you use the flag --noImageFile, the OVF Tool might fail with a segmentation fault. The OVF Tool finds that the ESXi host returns the NVRAM file for the virtual machine or the virtual machine template in the network file copy lease which has the list of files. As a result, the OVF Tool might stop responding due to a discrepancy between the ESXi host and the command line. In the OVF Tool logs, you might see an error message similar to: Could not find any sha digest for ../disk-1.nvram while reading.

    This issue is resolved in this release. The segmentation fault does not occur when you use the flag --noImageFiles. A new --noNvramFile flag is introduced to skip the download of NVRAM files during an import or an export. The existing--noImageFiles flag is used to skip the download of image files such as CD-ROM and floppy.

Known Issues

The known issues are grouped as follows.

Upgrade Issues
  • After an upgrade of a vCenter Server system to version 6.7 Update 2, pre-upgrade First Class Disks (FCD) might not be listed in the Global Catalog

    During an upgrade of your vCenter Server system to version 6.7 Update 2, the FCD Global Catalog might pick an ESXi host that is not yet updated to invoke a sync and the sync fails. As a result, the listVStorageObjectForSpec API might not return all FCDs created prior to the upgrade.

    Workaround: After you upgrade all ESXi hosts in the inventory, start syncDatastore API with fullSync set to true.

Storage Issues
  • Incorrect behavior of the backingObjectId and SnapshotInfo fields of VStorageObjectResult

    In non-vSAN datastores, the backingObjectId and SnapshotInfo fields of VStorageObjectResult for a First Class Disk are always set to null.
    In vSAN datastores, when you create a snapshot of a First Class Disk, backingObjectId and SnapshotInfo fields of VStorageObjectResult for the First Class Disk are populated. If the First Class Disk has multiple snapshots, deleting the latest snapshot updates the backingObjectId and SnapshotInfo fields, but deleting older snapshots does not update the fields.

    Workaround: None.

Known Issues from Prior Releases

To view a list of previous known issues, click here.