times

ESXi 7.0 Update 3f | 12 JUL 2022 | ISO Build 20036589

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New
Earlier Releases of ESXi 7.0
Patches Contained in this Release
Resolved Issues
Known Issues
Known Issues from Previous Releases

IMPORTANT: If your source system contains hosts of versions between ESXi 7.0 Update 2 and Update 3c, and Intel drivers, before upgrading to ESXi 7.0 Update 3f, see the What's New section of the VMware vCenter Server 7.0 Update 3c Release Notes, because all content in the section is also applicable for vSphere 7.0 Update 3f. Also, see the related VMware knowledge base articles: 86447, 87258, and 87308.

What's New

This release resolves CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, and CVE-2022-29901. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2022-0020.
ESXi 7.0 Update 3f supports vSphere Quick Boot on the following servers:
- Cisco Systems Inc:
  - UCSC-C220-M6N
  - UCSC-C225-M6N
  - UCSC-C240-M6L
  - UCSC-C240-M6N
  - UCSC-C240-M6SN
  - UCSC-C240-M6SX
- Dell Inc:
  - PowerEdge XR11
  - PowerEdge XR12
  - PowerEdge XE8545
- HPE:
  - Edgeline e920
  - Edgeline e920d
  - Edgeline e920t
  - ProLiant DL20 Gen10 Plus
  - ProLiant DL110 Gen10 Plus
  - ProLiant ML30 Gen10 Plus
- Lenovo:
  - ThinkSystem SR 860 V2

Earlier Releases of ESXi 7.0

New features, resolved, and known issues of ESXi are described in the release notes for each release. Release notes for earlier releases of ESXi 7.0 are:

For internationalization, compatibility, and open source components, see the VMware vSphere 7.0 Release Notes.

Patches Contained in This Release

This release of ESXi 7.0 Update 3f delivers the following patches:

Build Details

Download Filename:	VMware-ESXi-7.0U3f-20036589-depot
Build:	20036589
Download Size:	575.2 MB
md5sum:	8543deb5d6d71bc7cc6d6c21977b1181
sha256checksum:	b4cd253cbc28abfa01fbe8e996c3b0fd8b6be9e442a4631f35616eb34e9e01e9
Host Reboot Required:	Yes
Virtual Machine Migration or Shutdown Required:	Yes

Components

Component	Bulletin	Category	Severity
ESXi Component - core ESXi VIBs	ESXi_7.0.3-0.50.20036589	Bugfix	Critical
ESXi Install/Upgrade Component	esx-update_7.0.3-0.50.20036589	Bugfix	Critical
Broadcom NetXtreme-E Network and ROCE/RDMA Drivers for VMware ESXi	Broadcom-bnxt-Net-RoCE_216.0.0.0-1vmw.703.0.50.20036589	Bugfix	Critical
Network driver for Intel(R) E810 Adapters	Intel-icen_1.4.1.20-1vmw.703.0.50.20036589	Bugfix	Critical
Network driver for Intel(R) X722 and E810 based RDMA Adapters	Intel-irdman_1.3.1.22-1vmw.703.0.50.20036589	Bugfix	Critical
VMware Native iSER Driver	VMware-iser_1.1.0.1-1vmw.703.0.50.20036589	Bugfix	Critical
Broadcom Emulex Connectivity Division lpfc driver for FC adapters	Broadcom-ELX-lpfc_14.0.169.26-5vmw.703.0.50.20036589	Bugfix	Critical
LSI NATIVE DRIVERS LSU Management Plugin	Broadcom-lsiv2-drivers-plugin_1.0.0-12vmw.703.0.50.20036589	Bugfix	Critical
Networking Driver for Intel PRO/1000 Family Adapters	Intel-ne1000_0.9.0-1vmw.703.0.50.20036589	Bugfix	Critical
USB Driver	VMware-vmkusb_0.1-7vmw.703.0.50.20036589	Bugfix	Critical
ESXi Component - core ESXi VIBs	ESXi_7.0.3-0.45.20036586	Security	Critical
ESXi Install/Upgrade Component	esx-update_7.0.3-0.45.20036586	Security	Critical
VMware-VM-Tools	VMware-VM-Tools_12.0.0.19345655-20036586	Security	Critical

IMPORTANT:

Starting with vSphere 7.0, VMware uses components for packaging VIBs along with bulletins. The ESXi and esx-update bulletins are dependent on each other. Always include both in a single ESXi host patch baseline or include the rollup bulletin in the baseline to avoid failure during host patching.
When patching ESXi hosts by using VMware Update Manager from a version prior to ESXi 7.0 Update 2, it is strongly recommended to use the rollup bulletin in the patch baseline. If you cannot use the rollup bulletin, be sure to include all of the following packages in the patching baseline. If the following packages are not included in the baseline, the update operation fails:
- VMware-vmkusb_0.1-1vmw.701.0.0.16850804 or higher
- VMware-vmkata_0.1-1vmw.701.0.0.16850804 or higher
- VMware-vmkfcoe_1.0.0.2-1vmw.701.0.0.16850804 or higher
- VMware-NVMeoF-RDMA_1.0.1.2-1vmw.701.0.0.16850804 or higher

Rollup Bulletin

This rollup bulletin contains the latest VIBs with all the fixes after the initial release of ESXi 7.0.

Bulletin ID	Category	Severity	Details
ESXi70U3f-20036589	Bugfix	Critical	Security and Bugfix
ESXi70U3sf-20036586	Security	Critical	Security only

Image Profiles

VMware patch and update releases contain general and critical image profiles. Application of the general release image profile applies to new bug fixes.

Image Profile Name

ESXi-7.0U3f-20036589-standard

ESXi-7.0U3f-20036589-no-tools

ESXi-7.0U3sf-20036586-standard

ESXi-7.0U3sf-20036586-no-tools

ESXi Image

Name and Version	Release Date	Category	Detail
ESXi70U3f-20036589	12 JUL 2022	Bugfix	Security and Bugfix image
ESXi70U3sf-20036586	12 JUL 2022	Security	Security only image

For information about the individual components and bulletins, see the Product Patches page and the Resolved Issues section.

Patch Download and Installation

In vSphere 7.x, the Update Manager plug-in, used for administering vSphere Update Manager, is replaced with the Lifecycle Manager plug-in. Administrative operations for vSphere Update Manager are still available under the Lifecycle Manager plug-in, along with new capabilities for vSphere Lifecycle Manager.
The typical way to apply patches to ESXi 7.x hosts is by using the vSphere Lifecycle Manager. For details, see About vSphere Lifecycle Manager and vSphere Lifecycle Manager Baselines and Images.
You can also update ESXi hosts without using the Lifecycle Manager plug-in, and use an image profile instead. To do this, you must manually download the patch offline bundle ZIP file from VMware Customer Connect. From the Select a Product drop-down menu, select ESXi (Embedded and Installable) and from the Select a Version drop-down menu, select 7.0. For more information, see the Upgrading Hosts by Using ESXCLI Commands and the VMware ESXi Upgrade guide.

Resolved Issues

The resolved issues are grouped as follows.

ESXi_7.0.3-0.50.20036589
esx-update_7.0.3-0.50.20036589
Broadcom-bnxt-Net-RoCE_216.0.0.0-1vmw.703.0.50.20036589
Broadcom-ELX-lpfc_14.0.169.26-5vmw.703.0.50.20036589
Broadcom-lsiv2-drivers-plugin_1.0.0-12vmw.703.0.50.20036589
Intel-icen_1.4.1.20-1vmw.703.0.50.20036589
Intel-irdman_1.3.1.22-1vmw.703.0.50.20036589
Intel-ne1000_0.9.0-1vmw.703.0.50.20036589
VMware-iser_1.1.0.1-1vmw.703.0.50.20036589
VMware-vmkusb_0.1-7vmw.703.0.50.20036589
ESXi_7.0.3-0.45.20036586
esx-update_7.0.3-0.45.20036586
VMware-VM-Tools_12.0.0.19345655-20036586
ESXi-7.0U3f-20036589-standard
ESXi-7.0U3f-20036589-no-tools
ESXi-7.0U3sf-20036586-standard
ESXi-7.0U3sf-20036586-no-tools
ESXi Image - ESXi70U3f-20036589
ESXi Image - ESXi70U3sf-20036586

ESXi_7.0.3-0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_esxio-combiner_7.0.3-0.50.20036589 VMware_bootbank_esx-ui_1.43.8-19798623 VMware_bootbank_esx-xserver_7.0.3-0.50.20036589 VMware_bootbank_cpu-microcode_7.0.3-0.50.20036589 VMware_bootbank_trx_7.0.3-0.50.20036589 VMware_bootbank_vsanhealth_7.0.3-0.50.20036589 VMware_bootbank_esx-base_7.0.3-0.50.20036589 VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.50.20036589 VMware_bootbank_gc_7.0.3-0.50.20036589 VMware_bootbank_native-misc-drivers_7.0.3-0.50.20036589 VMware_bootbank_bmcal_7.0.3-0.50.20036589 VMware_bootbank_vsan_7.0.3-0.50.20036589 VMware_bootbank_vdfs_7.0.3-0.50.20036589 VMware_bootbank_crx_7.0.3-0.50.20036589
PRs Fixed	2916848, 2817702, 2937074, 2957732, 2984134, 2944807, 2985369, 2907963, 2949801, 2984245, 2911320 , 2915911, 2990593, 2992648, 2905357, 2980176, 2974472, 2974376, 2972059, 2973031, 2967359, 2860126, 2878245, 2876044, 2968157, 2960242, 2970238, 2966270, 2966783, 2963328, 2939395, 2966362, 2946550, 2958543, 2966628, 2961584, 2911056, 2965235, 2952427, 2963401, 2965146, 2963038, 2963479, 2949375, 2961033, 2958926, 2839515, 2951139, 2878224, 2954320, 2952432, 2961346, 2857932, 2960949, 2960882, 2957966, 2929443, 2956080, 2959293, 2944919, 2948800, 2928789, 2957769, 2928268, 2957062, 2792139, 2934102, 2953709, 2950686, 2953488, 2949446, 2955016, 2953217, 2956030, 2949902, 2944894, 2944521, 2911363, 2952205, 2894093, 2910856, 2953754, 2949777, 2925733, 2951234, 2915979, 2904241, 2935355, 2941263, 2912661, 2891231, 2928202, 2928268, 2867146, 2244126, 2912330, 2898858, 2906297, 2912213, 2910340, 2745800, 2912182, 2941274, 2912230, 2699748, 2882789, 2869031, 2913017, 2864375, 2925133, 2965277
CVE numbers	N/A

The ESXi and esx-update bulletins are dependent on each other. Always include both in a single ESXi host patch baseline or include the rollup bulletin in the baseline to avoid failure during host patching.
Updates the esxio-combiner, esx-ui, esx-xserver, cpu-microcode, trx, vsanhealth, esx-base, esx-dvfilter-generic-fastpath, gc, native-misc-drivers, bmcal, vsan, vdfs, and crx VIBs to resolve the following issues:

NEW: PR 2965277: Windows virtual machines with nested virtualization support that have Virtualization-Based Security (VBS) enabled might show up to 100% CPU utilization
Under certain conditions, such as increasing page-sharing or disabling the use of large pages at VM or ESXi host level, you might see CPU utilization of Windows VBS-enabled VMs to reach up to 100%.

This issue is resolved in this release. The fix prevents page-sharing in some specific cases to avoid the issue.
PR 2839515: Python SDK (pyVmomi) call to EnvironmentBrowser.QueryConfigOptionEx fails with UnknownWsdlTypeError
pyVmomi calls to the vSphere EnvironmentBrowser.QueryConfigTargetEx API might fail with UnknownWsdlTypeError.

This issue is resolved in this release.
PR 2911320: You see status Unknown for sensors of type System Event in the hardware health monitoring screen in the vSphere Client
The hardware health module of ESXi might fail to decode some sensors of the type System Event when a physical server is rebranded. As a result, in the vSphere Client you see status Unknown for sensors of type System Event under Monitor > Hardware Health.

This issue is resolved in this release.
PR 2910340: If a virtual machine with vmx.reboot.powerCycle=TRUE reboots during migration, it might not power on
If you you set the vmx.reboot.powerCycle advanced setting on a virtual machine to TRUE, when the guest OS initiates a reboot, the virtual machine powers off and then powers on. However, if a power cycle occurs during a migration by using vSphere vMotion, the operation fails and the virtual machine on the source host might not power back on.

This issue is resolved in this release.
PR 2916848: ESXi hosts might fail with a purple diagnostic screen due to a data race in UNIX domain sockets
If a socket experiences a connection failure while it is polled during the internal communication between UNIX domain sockets, a data race might occur. As a result, in some cases, the ESXi host might access an invalid memory region and fail with a purple diagnostic screen with #PF Exception 14, and errors such as UserDuct_PollSize() and UserSocketLocalPoll().

This issue is resolved in this release.
PR 2891231: You cannot create a host profile from an ESXi host that uses a hardware iSCSI adapter with pseudo NIC
If a hardware iSCSI adapter on an ESXi host in your environment uses pseudo NICs, you might not be able to create a host profile from such a host since pseudo NICs do not have the required PCI address and vendor name for a profile.

This issue is resolved in this release. For pseudo NICs, the fix removes the requirement for PCI address and PCI vendor name values.
PR 2898858: Virtual machines might become unresponsive due to underlying storage issues on a software iSCSI adapter
Race conditions in the iscsi_vmk driver might cause stuck I/O operations or heartbeat timeouts on a VMFS datastore. As a result, you might see some virtual machines become unresponsive.

This issue is resolved in this release.
PR 2792139: Throughput with software iSCSI adapters is limited due to hardcoded send and receive buffer sizes
Throughput with software iSCSI adapters is limited due to hardcoded send and receive buffer sizes, 600 KB for send and 256 KB for receive buffer, respectively. As a result, the performance of the iscsi_vmk adapter is not optimal.

This issue is resolved in this release. The fix makes the send and receive buffer sizes for iSCSI connections adjustable parameters. You can set the send buffer size by using the ESXCLI command esxcli system settings advanced set -o /ISCSI/SocketSndBufLenKB -i <your size> with a limit of 6144 KB. You can set the receive buffer size by using the command esxcli system settings advanced set -o /ISCSI/SocketRcvBufLenKB -i <your size> with a limit of 6144 KB.
PR 2904241: Virtual machines with enabled NVIDIA virtual GPU (vGPU) might not destroy all multi-instance GPU resources during VM power off
When multiple NVIDIA vGPU VMs power off simultaneously, occasionally some multi-instance GPU (MIG) resources are not destroyed. As a result, subsequent vGPU VM power on might fail due to the residual MIG resources.

This issue is resolved in this release.
PR 2944894: Virtual machines on NFSv4.1 datastores become unresponsive for few seconds during storage failover
In rare cases, when a NFSv4.1 server returns a transient error during storage failover, you might see virtual machines to become unresponsive for 10 seconds before the operation restarts.

This issue is resolved in this release. The fix reduces wait time for recovery during storage failover.
PR 2916980: An ESXi host might fail with a purple diagnostic screen due to packet completion on a different portset
In rare occasions, packet completion might not happen on the original port or portset, but on a different portset, which causes a loop that could corrupt the packet list with an invalid pointer. As a result, an ESXi host might fail with a purple diagnostic screen. In the logs, you see an error such as PF Exception 14 in world 61176327:nsx.cp.tx IP 0xxxxxx addr 0x3c.

This issue is resolved in this release.
PR 2925733: In the vSphere API, the memoryRangeLength field of NumaNodeInfo does not always count all memory in the associated ESXi host NUMA node
The memory in an ESXi host NUMA node might consist of multiple physical ranges. In ESXi releases earlier than 7.0 Update 3f, the memoryRangeBegin, memoryRangeLength field pair in NumaNodeInfo gives the starting host physical address and the length of one range in the NUMA node, ignoring any additional ranges.

This issue is resolved in this release. The memoryRangeLength field is set to the total amount of memory in the NUMA node, summed across all physical ranges. The memoryRangeBegin field is set to 0, because this information is not meaningful in case of multiple ranges.
PR 2932736: If you enable fast path on the High-Performance Plug-in (HPP) for 512e Software Emulated 4KN devices, I/Os might fail
If you enable fast path on HPP for 512e Software Emulated 4KN devices, it does not work as expected, because the fast path does not handle Read-Modify-Write(R-M-W), which must use slow path. The use of fast path on 4KN devices is not supported.

This issue is resolved in this release. The fix makes sure that even if the fast path is enabled for a 512e Software Emulated 4KN devices, the setting is ignored, and I/Os take the slow path.
PR 2860126: Deleting snapshots of large virtual disks might temporarily freeze a running VM
If you have a running VM with virtual disks larger than 1TB and you delete a snapshot of the disks on this VM, the VM might freeze for seconds or even minutes. The VM ultimately recovers but VM workloads might experience outages. The issue occurs because the delete operation triggers snapshot consolidation in the background that causes the delay. The issue is more likely to occur on slower storage, such as NFS.

This issue is resolved in this release.
PR 2875070: ESXi hosts might fail with a purple diagnostic screen due to mishandling DVFilter packets
DVFilter packets might incorrectly be transferred to a network port, where the packet completion code fails to run. As a result, ESXi hosts fail with a purple diagnostic screen and the error PF Exception 14 Vmxnet3VMKDevTxCompleteOne E1000DevTxCompleteOneWork.

This issue is resolved in this release.
PR 2883317: Virtual machines might intermittently lose connectivity due to a rare issue with the distributed firewall (DFW)
In rare cases, DFW might send a packet list to the wrong portset. As a result, the VMkernel service might fail and virtual machines lose connectivity. In the vmkernel.log file, you see errors such as:
2021-09-27T04:29:53.170Z cpu84:xxxx)NetPort: 206: Failure: lockModel[0] vs psWorldState->lockModel[0] there is no portset lock holding.

This issue is resolved in this release.
PR 2944521: You cannot rename devices claimed by the High-Performance Plug-in (HPP)
Starting from vSphere 7.0 Update 2, HPP becomes the default plug-in for local NVMe and SCSI devices, and replaces the ESX Native Multipathing Plug-in (NMP). However, in some environments, the change from NMP to HPP makes some properties of devices claimed by HPP, such as Display Name, inaccessible.

This issue is resolved in this release.
PR 2945697: You might see outdated path states to ALUA devices on an ESXi host
In an ALUA target, if the target port group IDs (TPGIDs) are changed for a LUN, the cached device identification response that SATP uses might not update accordingly. As a result, ESXi might not reflect the correct path states for the corresponding device.

This issue is resolved in this release
PR 2946036: RTPG for all paths to a volume reports the same ALUA access state for devices registered by using NVMe-SCSI translation on a LUN
If you use the NVMe-SCSI translation stack to register NVMe devices in your system, the targetPortGroup and relativeTargetPortId properties get a controller ID of 0 for all paths. As a result, an RTPG command returns the same ALUA access state for all the paths of the namespace, because every path tpgID matches the first descriptor, which is 0.

This issue is resolved in this release. In case you use third-party plug-ins, if no tpgID for the path is present in the tpg descriptors (which is a blank ANA page for the controller), you must run the RTPG command on that particular path to populate the ANA page for that controller and to get the tpg descriptor and ALUA state for the path.
PR 2943674: vSAN File Service health check has warning after AD user domain password change: File server not found
If the password for the File Service administrator is changed on the Active Directory server, the password in the vSAN File Service domain configuration might not match. If the passwords do not match or if the account is locked, some file shares might be inaccessible. vSAN health service shows the following warning: File Service: File server not found.

This issue is resolved in this release.
PR 2944919: You see virtual machine disks (VMDK) with stale binding in vSphere Virtual Volumes datastores
When you reinstall an ESXi host after a failure, since the failed instance never reboots, stale bindings of VMDKs remain intact on the VASA provider and vSphere Virtual Volumes datastores. As a result, when you reinstall the host, you cannot delete the VMDKs due to the existing binding. Over time, many such VMDKs might accrue and consume idle storage space.

This issue is resolved in this release. However, you must contact VMware Global Support Services to implement the task.
PR 2912213: The hostd service might repeatedly fail on virtual machines with serial devices with no fileName property and serial.autodetect property set to FALSE
In rare cases, a serial device on a virtual machine might not have a serial<N>.fileName property and the >serial<N>.autodetect property to be set to FALSE. As a result, the hostd service might repeatedly fail.

This issue is resolved in this release.
PR 2951234: If you set an option of the traffic shaping policy switch or port group level with a size larger than 2147483 Kbps, settings are not saved
In the vSphere Client, if you set any of the traffic shaping options, such as Average Bandwidth, Peak Bandwidth or Burst Size, to a value larger than 2147483 Kbps, the settings are not kept.

This issue is resolved in this release.
PR 2945707: vSphere vMotion operations fail after upgrade to ESXi 7.x for environments configured with vSphere APIs for Array Integration (VAAI) for Network-attached Storage (NAS)
Due to the low default number of file descriptors, some features such as vSphere vMotion might fail in VAAI for NAS environments after upgrade to ESXi 7.x, due to the insufficient number of vmdk files that can be operated simultaneously. You see errors such as Too many open files in the vaai-nas daemon logs in the syslog.log file.

This issue is resolved in this release. The default number of file descriptors is up to the maximum 64,000 from the current 256.
PR 2952427: Virtual machines might become unresponsive due to a rare deadlock issue in a VMFS6 volume
In rare cases, if a write I/O request runs in parallel with an unmap operation triggered by the guest OS on a thin-provisioned VM, a deadlock might occur in a VMFS6 volume. As a result, virtual machines on this volume become unresponsive.

This issue is resolved in this release.
PR 2876044: vSphere Storage vMotion or hot-add operations might fail on virtual machines with virtual memory size of more than 300 GB
During vSphere Storage vMotion or hot-add operations on a virtual machine with more than 300 GB of memory, the switchover time can approach 2 minutes that causes a timeout failure.

This issue is resolved in this release.
PR 2952003: During boot, iSCSI configurations might fail to restore and you do not see some LUNs or datastores after the boot
If you do not remove port binding after you delete a VMkernel NIC that is bound to an iSCSI adapter, the stale port binding might cause issues after an ESXi host reboot. During boot, binding of the non-existing VMkernel NIC to the iSCSI adapter fails and iSCSI configurations cannot restore during the boot. As a result, after the reboot completes, you might not see some LUNs or datastores.

This issue is resolved in this release.
PR 2957062: NFSv4.1 datastore remains in Inaccessible state after storage failover
After a storage failover, the ESXi NFSv4.1 client might falsely identify the NFS server to be a different entity and skip recovery. As a result, the NFSv4.1 datastore remains in Inaccessible state.

This issue is resolved in this release. The fix makes sure the NFSv4.1 client identify the NFS server after a failover.
PR 2961033: If an NVMe device reports a critical warning, initialization on ESXi fails and the device goes offline
In some cases, such as temperature exceeding the threshold, an NVMe device might report a critical warning and the ESXi NVMe controller does not register the device, and puts it offline.

This issue is resolved in this release. The fix makes sure that NVMe devices register with the ESXi NVMe controller regardless of critical warnings. If the device is in a bad state, and not a transient state such as high temperature, the firmware of the NVMe controller must send appropriate error codes during an I/O admin command processing.
PR 2928202: You cannot access some shares in the vSAN file service and see warnings from the VDFS daemon
A rare issue when the used block cache exceeds the reserved cache might cause reservation issues in the vSAN file service. As a result, you cannot reach some file shares and the health check shows the error VDFS daemon is not running. In the vdfsd-server log, you see errors such as:
PANIC: NOT_IMPLEMENTED bora/vdfs/core/VDFSPhysicalLog.cpp:621
PANIC: NOT_IMPLEMENTED bora/vdfs/core/VDFSPhysicalLog.cpp:626

This issue is resolved in this release.
PR 2949902: OVF files might unexpectedly be modified and virtual machines cannot be imported
In rare cases, background search queries executed by vCenter Server on an ESXi host with access to the vmdk files of virtual machines exported to an OVF format might accidentally modify the files. As a result, you cannot import the virtual machines.

This issue is resolved in this release.
PR 2963401: You cannot add a multipathing PSA claim rule by using the JumpStart tool
Due to a component load issue, adding a multipathing PSA claim rule to the set of claim rules on a vCenter Server system by using the JumpStart tool might fail.

This issue is resolved in this release. The fix makes sure all required components load to enable the use of the JumpStart tool.
PR 2965235: LUN trespasses might occur on Asymmetric Logical Unit Access (ALUA) arrays upon shutdown or booting of ESXi 7.x hosts
After a controlled shutdown or booting of any server in a cluster of ESXi servers attached to an ALUA array, all LUNs to which that server has access might trespass to one storage processor on the array. As a result, performance of the other ESXi servers accessing the LUNs aggravates.

This issue is resolved in this release. The fix adds a check before activating the last path on the target during the shutdown phase to prevent LUN trespassing.
PR 2966783: ESXi host might fail with a purple diagnostic screen due to a rare issue with memory allocation failure by PSA
In rare cases, when an ESXi host is under memory pressure, PSA does not handle memory allocation failures gracefully. As a result, the ESXi host might fail with a purple diagnostic screen with an error such as #PF Exception 14 in world 2098026:SCSI path sc IP / SCSI path scan helpers.

This issue is resolved in this release.
PR 2984134: If a virtual machine reboots while a snapshot is deleted, the VM might fail with a core dump
If a running virtual machine reboots during a snapshot deletion operation, the VM disks might be incorrectly reopened and closed during the snapshot consolidation. As a result, the VM might fail. However, this is timing issue and occurs accidentally.

This issue is resolved in this release.
PR 2929443: Mounting VMFS6 datastores with enabled clustered VMDK support might randomly fail
During device discovery, a reservation conflict might cause ATS to be wrongly reported as not supported and due to this, ESXi uses SCSI-2 reservation instead of ATS. As a result, mounting VMFS6 datastores with enabled clustered VMDK support might randomly fail.

This issue is resolved in this release.
PR 2957732: vSAN file service servers cannot boot after host UUID change
Some operations can change the host UUID. For example, if you reinstall ESXi software or move the host across clusters, the host UUID might change. If the host UUID changes during vSAN file service downtime, then vSAN file service servers cannot boot.

This issue is resolved in this release.
PR 2955688: vSAN file service might not work as expected after it is disabled and reenabled
If you disable the vSAN file service with no existing file shares, vSAN removes the file service domain. A removal failure of one server might interrupt the process, and leave behind some metadata. When you reenable the file service, the old metadata might cause the file service to not work as expected.

This issue is resolved in this release.
PR 2965146: The IMPLICIT TRANSITION TIME value returned from the SCSI Report Target Port Groups command might not be correct
The Report Target Port Groups command might return a wrong value in the IMPLICIT TRANSITION TIME field, which affects the SCSI to NVMe translation layer. In cases such as multi appliance migration, the time for ALUA transition is critical for some multipathing software, for example PowerPath, to perform correct operations.

This issue is resolved in this release.
PR 2992648: High latencies observed after reboot or disk group remount
Small-sized pending unmaps might be blocked when you reboot a host or remount a disk group. The pending unmaps can cause log congestion which leads to I/O latency.

This issue is resolved in this release.
PR 2964856: Path to the /productLocker directory on a datastore truncates after patching ESXi 7.x
After the first upgrade or update of your system to ESXi 7.x, with each consecutive update, also called a patch, you might see a truncation in the path to the /productLocker directory on a datastore. For example, if your first patch on ESXi 7.x is from 7.0 Update 2 to 7.0 Update 3, the path to the /productLocker directory originally is similar to /vmfs/volumes/xxx/VMware-Tools/productLocker/. However, for each consecutive patch, for example from 7.0 Update 3 to 7.0 Update 3c, the path becomes similar to /VMware-Tools/productLocker/.

This issue is resolved in this release.
PR 2963038: Inaccessible object on vSAN stretched or two-node cluster
In a vSAN stretched cluster or two-node cluster, quorum votes might not be distributed correctly for objects with PFTT of 1 and SFTT of 1 or more. If one site fails, and an additional host or disk fails on the active site, the object might lose quorum and become inaccessible.

This issue is resolved in this release.
PR 2961832: ESXi hosts might fail while resizing a VMDK not aligned to 512 bytes
An object resize request might fail if the new size is not aligned to 512 bytes. This problem can cause an ESXi host to fail with a purple diagnostic screen.

This issue is resolved in this release.
PR 2935355: You might see increased CPU consumption on an ESXi host due to a leak of the PacketCapture (pktcap-uw) utility
In some cases, for example when a virtual machine restarts, a running SSH session that the pktcap-uw utility uses to monitor and validate switch configurations on the ESXi host might be terminated, but the pktcap-uw utility might continue to try to process packets. As a result, the utility starts consuming more CPU than usual. You can use the esxtop -a command to track CPU performance.

This issue is resolved in this release. The fix prevents leaks from the pktcap-uw utility that cause increased CPU consumption. You can use the ps -u | grep pktcap command to see if any background pktcap-uw utility process runs, although it does not impact CPU performance. If a zombie process still runs, you can use the command kill -9 to end it.
PR 2973031: vSAN health check shows certified NVMe device as not certified
In vCenter Server running 7.0 Update 3, a certified NVMe device might have the following health check warning: NVMe device is not VMware certified. You might also see the following health check warning: NVMe device can not be identified.

This issue is resolved in this release.
PR 2968157: The ESXCLI command hardware ipmi bmc get does not return the IPv6 address of an IPMI Baseboard Management Controller (BMC)
The ESXCLI command hardware ipmi bmc get does not return the IPv6 address of a BMC due to wrong parsing.

This issue has been fixed in this release.
PR 2963328: Shutdown wizard fails for a vSAN stretched or two-node vSAN cluster with error: Disconnected host found from orch
If the witness host cannot be reached by cluster hosts, the vSAN cluster Shutdown wizard might fail for a stretched cluster or two-node clusters. The issue occurs when vSAN data traffic and witness traffic use different vmknics. In the vSphere Client. you see the following error message in the vSAN Services page: Disconnected host found from orch <witness's ip>. If vCenter is hosted on the cluster, the vSphere Client is not available during shutdown, and the error message is available in the Host Client where the vCenter VM resides.

This issue is resolved in this release.
PR 2882789: While browsing a vSphere Virtual Volumes datastore, you see the UUID of some virtual machines, instead of their name
In the vSphere Client, when you right-click to browse a datastore, you might see the UUID of some virtual machines in a vSphere Virtual Volumes datastore, such as naa.xxxx, instead of their names. The issue rarely occurs in large-scale environments with a large number of containers and VMs on a vSphere Virtual Volumes datastore. The issue has no functional impact, such as affecting VM operations, backup, or anything than VM display in the vSphere Client.

This issue is resolved in this release.
PR 2928268: A rare issue with the ESXi infrastructure might cause ESXi hosts to become unresponsive
Due to a rare issue with the ESXi infrastructure, a slow VASA provider might lead to a situation where the vSphere Virtual Volumes datastores are inaccessible, and the ESXi host becomes unresponsive.

This issue is resolved in this release.
PR 2946550: When you shut down an ESXi host, it does not power off and you see an error message
In certain environments, when you shut down an ESXi host, it does not power off and you see a screen with the message This system has been halted. It is safe to use the reset or power button to reboot..

This issue is resolved in this release.
PR 2949777: If the LargeBAR setting of a vmxnet3 device is enabled on ESX 7.0 Update 3 and later, virtual machines might lose connectivity
The LargeBAR setting that extends the Base Address Register (BAR) on a vmxnet3 device supports the Uniform Passthrough (UPT). However, UPT is not supported on ESX 7.0 Update 3 and later, and if the vmxnet3 driver is downgraded to a version earlier than 7.0, and the LargeBAR setting is enabled, virtual machines might lose connectivity.

This issue is resolved in this release.
PR 2984245: Redundant redo log files take significant storage space
If you hot remove independent nonpersistent disks from a virtual machine that has the vmx.reboot.PowerCycle configuration parameter enabled, ESXi stores a redo log file. If such a VM is a backup proxy VM, you might see a lot of redundant redo log files to take a significant amount of storage.

Workaround: Disable the vmx.reboot.PowerCycle parameter on backup proxy VMs either by power-cycling the VM or by using the PowerCLI Set-AdvancedSetting cmdlet. Delete the redundant redo log files.
PR 2939395: ESXi hosts intermittently fail with purple diagnostic screen with a dump that shows J3_DeleteTransaction and J6ProcessReplayTxnList errors
In rare cases, when an ESXi host tries to access an uncached entry from a resource pool cache, the host intermittently fails with a PF Exception 14 purple diagnostic screen and a core dump file. In the dump file, you see errors for the J3_DeleteTransaction and J6ProcessReplayTxnList modules that indicate the issue.

This issue is resolved in this release.
PR 2952432: ESXi hosts might become unresponsive due to a rare issue with VMFS that causes high lock contention of hostd service threads
A rare issue with VMFS might cause high lock contention of hostd service threads, or even deadlocks, for basic filesystem calls such as open, access or rename. As a result, the ESXi host becomes unresponsive.

This issue is resolved in this release.
PR 2960882: If the authentication protocol in an ESXi SNMP agent configuration is MD5, upgrades to ESXi 7.x might fail
Since the MD5 authentication protocol is deprecated from ESXi 7.x, if an ESXi SNMP agent configuration uses the MD5 authentication protocol, upgrades to ESXi 7.x fail.

This issue is resolved in this release. The fix removes the MD5 authentication protocol and you see a VMkernel Observation (VOB) message such as Upgrade detected a weak crypto protocol (MD5) and removed it. Please regenerate v3 Users.
PR 2957966: Spaces in the Syslog.global.logHost parameter might cause upgrades to ESXi 7.x to fail
In ESXi 7.x, the Syslog.global.logHost parameter that defines a comma-delimited list of remote hosts and specifications for message transmissions, does not tolerate spaces after the comma. ESXi versions earlier than 7.x tolerate a space after the comma in the Syslog.global.logHost parameter. As a result, upgrades to ESXi 7.x might fail.

This issue is resolved in this release. The fix allows spaces after the comma.
PR 2967359: You might see logical consistency-based I/O error for virtual machines running on a snapshot
An issue related to the use of the probabilistic data structure Bloom Filter that aims to optimize read I/O for VMs running on a snapshot, might cause a logical consistency-based I/O error when VM is running on snapshot. The issue is limited and occurs only if you run running SQL server on snapshot.

This issue is resolved in this release. The fix disables the use of Bloom Filter functionality until the root cause of the issue is resolved.
PR 2974376: ESXi hosts fail with a purple diagnostic screen with a NMI error due to a rare CPU lockup
An issue with the process that scans datastores to help file-block allocations for thin files might cause a CPU lockup in certain cases. As a result, the ESXi host might fail with a purple diagnostic screen with an error similar to PSOD - @BlueScreen: NMI.

This issue is resolved in this release.
PR 2905357: You see unusually high number of Task Created and Task Completed messages in the hostd log files
The log files of the hostd service might get an unusually high number of Task Created and Task Completed messages for invisible tasks, which in turn might reduce the log retention time.

This issue is resolved in this release.
PR 2956080: Read and write operations to a vSphere Virtual Volumes datastore might fail
If a SCSI command to a protocol endpoint of a vSphere Virtual Volumes datastore fails, the endpoint might get an Unsupported status, which might be cached. As a result, following SCSI commands to that protocol endpoint fail with an error code such as 0x5 0x20, and read and write operations to a vSphere Virtual Volumes datastore fail.

This issue is resolved in this release.
PR 2985369: If the NVMe controller reports a FAILED state, it might lose connectivity to ESXi hosts
In some cases, such as port down error, ESXi hosts might lose connectivity to the NVMe controller although some IO queues are still active.

This issue is resolved in this release.
PR 2892901: If the disk of a replicated virtual machine is not 512-aligned, the VM might fail to power on
If you replicate a virtual machine by using vSphere Replication, and the VM disk is increased to a number that is not 512-aligned, the VM cannot power on.

This issue is resolved in this release.
PR 2912230: If the number of CPUs is not multiple to the number of core per socket in the configuration of a virtual machine, the VM cannot power on
If the number of CPUs that you define with the parameter ConfigSpec#numCPUs is not multiple to the number of core per socket that you define with in the parameter ConfigSpec#numCoresPerSocket in the configuration of a virtual machine, the VM does not power on.

This issue is resolved in this release. The fix prevents you from setting a numCPUs value that is not multiple of the numCoresPerSocket value.
PR 2949375: vSAN host in stretched cluster fails to enter maintenance mode with ensure accessibility mode
This problem affects hosts in stretched clusters with locality=None, HFT=0, SFT=1 or SFT=2 policy settings. When you place a host into maintenance mode with Ensure Accessibility, the operation might stay at 100% for a long time or fail after 60 min.

This issue is resolved in this release.
PR 2950686: Frequent vSAN network latency alarms after upgrade to ESXi 7.0 Update 2
After you upgrade an ESXi host to 7.0 Update 2, you might notice frequent vSAN network latency alarms on the cluster when vSAN performance service is enabled. The latency results show that most of the alarms are issued by the vSAN primary node.

This issue is resolved in this release.
PR 2928789: NVMe over RDMA storage becomes inaccessible after update from ESXi 7.0, 7.0 Update 1 or 7.0 Update 2 to 7.0 Update 3c
Due to a change in the default admin queue size for NVMe over RDMA controllers in ESXi 7.0 Update 3c, updates from ESXi 7.0, 7.0 Update 1 or 7.0 Update 2 to 7.0 Update 3c might cause NVMe over RDMA storage to become inaccessible.

This issue is resolved in this release. If you need to update to ESXi 7.0 Update 3c, you can run the script attached in VMware knowledge base article 88938 before the update to make sure the issue is resolved.
PR 2983089: An ESXi host might fail with a purple diagnostic screen due to a race condition in container ports
Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off or migrate by using vSphere vMotion. The issue occurs due to duplicating port IDs.

This issue is resolved in this release.
PR 2925133: When you disable or suspend vSphere Fault Tolerance, pinging virtual machines might time out
When you disable or suspend vSphere FT, virtual machines might temporarily lose connectivity and not respond to pinging or any network traffic. Pinging virtual machines might time out consecutively within a short period, such as 20 sec.

This issue is resolved in this release.

esx-update_7.0.3-0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_esx-update_7.0.3-0.50.20036589 VMware_bootbank_loadesx_7.0.3-0.50.20036589
PRs Fixed	N/A
CVE numbers	N/A

Updates the loadesx and esx-update VIBs.

Broadcom-bnxt-Net-RoCE_216.0.0.0-1vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_bnxtroce_216.0.58.0-23vmw.703.0.50.20036589 VMW_bootbank_bnxtnet_216.0.50.0-44vmw.703.0.50.20036589
PRs Fixed	N/A
CVE numbers	N/A

Updates the bnxtnet VIB.

Broadcom-ELX-lpfc_14.0.169.26-5vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_lpfc_14.0.169.26-5vmw.703.0.50.20036589
PRs Fixed	2929821
CVE numbers	N/A

Updates the lpfc VIB to resolve the following issue:

PR 2929821: ESXi hosts lose access to Dell EMC Unity storage arrays after upgrading the lpfc driver to 14.0.x.x
ESXi hosts might lose access to Unity storage arrays after upgrading the lpfc driver to 14.0.x.x. You see errors such as protocol failure detected during processing of FCP I/O and rspInfo3 x2 in the driver logs.

This issue is resolved in this release.

Broadcom-lsiv2-drivers-plugin_1.0.0-12vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_lsuv2-lsiv2-drivers-plugin_1.0.0-12vmw.703.0.50.20036589
PRs Fixed	2960435
CVE numbers	N/A

Updates the lsuv2-lsiv2-drivers-plugin VIB.

PR 2960435: Changes in disk location take long to become visible from the vSphere Client or by using ESXCLI
For LSI-related drivers, when an ESXi server boots up, if you plug out a disk and plug it in another slot on the same host, changes in the disk location might take long to become visible from the vSphere Client or by using the ESXCLI command esxcli storage core device physical get -d. The issue is specific to drivers with many disks connected to the driver, 150 and more, and is resolved within 5 minutes.

This issue is resolved in this release. The fix adds a cache of all devices connected to an LSI controller at boot time to make sure calls to the strange inventory are quickly served.

Intel-icen_1.4.1.20-1vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_icen_1.4.1.20-1vmw.703.0.50.20036589
PRs Fixed	2965878
CVE numbers	N/A

Updates the icen VIB.

With ESXi 7.0 Update 3f, the Intel-icen driver supports networking functions on E822/E823 NICs for Intel Icelake-D platforms. ENS (Enhanced Network Stack) and RDMA functions on such devices are not supported.

Intel-irdman_1.3.1.22-1vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_irdman_1.3.1.22-1vmw.703.0.50.20036589
PRs Fixed	N/A
CVE numbers	N/A

Updates the irdman VIB.

Intel-ne1000_0.9.0-1vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_ne1000_0.9.0-1vmw.703.0.50.20036589
PRs Fixed	2957673
CVE numbers	N/A

Updates the ne1000 VIB.

ESXi 7.0 Update 3f upgrades the Intel-ne1000 driver to support Intel I219-LM devices that are required for newer server models, such as the Intel Rocket Lake-S platform. The TCP segmentation offload for the I219 devices is deactivated because of known issues in the hardware DMA.

VMware-iser_1.1.0.1-1vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_iser_1.1.0.1-1vmw.703.0.50.20036589
PRs Fixed	2921564
CVE numbers	N/A

Updates the iser VIB.

PR 2921564: ESXi hosts that have iSER initiators connected to IBM FlashSystem V9000 arrays might fail with a purple diagnostic screen due to a rare issue
A very rare null pointer error issue might cause ESXi hosts on IBM FlashSystem V9000 arrays to fail with a purple diagnostic screen and an error such as #PF Exception 14 in world 2098414:CqWorld IP 0xxxxx addr 0xxxx.

This issue is resolved in this release. The fix adds a special handling to an RDMA error status for one of the SCSI management commands.

VMware-vmkusb_0.1-7vmw.703.0.50.20036589

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_vmkusb_0.1-7vmw.703.0.50.20036589
PRs Fixed	N/A
CVE numbers	N/A

Updates the vmkusb VIB.

ESXi_7.0.3-0.45.20036586

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_native-misc-drivers_7.0.3-0.45.20036586 VMware_bootbank_bmcal_7.0.3-0.45.20036586 VMware_bootbank_esx-ui_1.43.8-19798623 VMware_bootbank_vsanhealth_7.0.3-0.45.20036586 VMware_bootbank_esxio-combiner_7.0.3-0.45.20036586 VMware_bootbank_esx-xserver_7.0.3-0.45.20036586 VMware_bootbank_trx_7.0.3-0.45.20036586 VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.45.20036586 VMware_bootbank_vdfs_7.0.3-0.45.20036586 VMware_bootbank_vsan_7.0.3-0.45.20036586 VMware_bootbank_cpu-microcode_7.0.3-0.45.20036586 VMware_bootbank_esx-base_7.0.3-0.45.20036586 VMware_bootbank_gc_7.0.3-0.45.20036586 VMware_bootbank_crx_7.0.3-0.45.20036586
PRs Fixed	2920287, 2946147, 2946217, 2946222, 2946671, 2946863, 2947156, 2951864, 2951866, 2972147, 2972151
CVE numbers	CVE-2004-0230, CVE-2020-7451, CVE-2015-2923, CVE-2015-5358, CVE-2013-3077, CVE-2015-1414, CVE-2018-6918, CVE-2020-7469, CVE-2019-5611, CVE-2020-7457, CVE-2018-6916, CVE-2019-5608, CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, CVE-2022-29901

The ESXi and esx-update bulletins are dependent on each other. Always include both in a single ESXi host patch baseline or include the rollup bulletin in the baseline to avoid failure during host patching.
Updates the native-misc-drivers, bmcal, esx-ui, vsanhealth, esxio-combiner, esx-xserver, trx, esx-dvfilter-generic-fastpath, vdfs, vsan, cpu-microcode, esx-base, gc, and crx VIBs to resolve the following issues:

ESXi 7.0 Update 3f provides the following security updates:
- The Expat XML parser is updated to version 2.4.7.
- The SQLite database is updated to version 3.37.2.
- The cURL library is updated to version 7.81.0.
- The OpenSSL package is updated to version openssl-1.0.2ze.
- The ESXi userworld libxml2 library is updated to version 2.9.14.
- The Python package is updated to 3.8.13.
- The zlib library is updated to 1.2.12.
- This release resolves CVE-2004-0230. VMware has evaluated the severity of this issue to be in the low severity range with a maximum CVSSv3 base score of 3.7.
- This release resolves CVE-2020-7451. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.
- This release resolves CVE-2015-2923. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.5.
- This release resolves CVE-2015-5358. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.5.
- This release resolves CVE-2013-3077. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.0.
- This release resolves CVE-2015-1414. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
- This release resolves CVE-2018-6918. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
- This release resolves CVE-2020-7469. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
- This release resolves CVE-2019-5611. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
- This release resolves CVE-2020-7457. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.8.
- This release resolves CVE-2018-6916. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.1.
- This release resolves CVE-2019-5608. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.1.
This release resolves CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, and CVE-2022-29901. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2022-0020.

esx-update_7.0.3-0.45.20036586

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_esx-update_7.0.3-0.45.20036586 VMware_bootbank_loadesx_7.0.3-0.45.20036586
PRs Fixed	N/A
CVE numbers	N/A

Updates the loadesx and esx-update VIBs.

VMware-VM-Tools_12.0.0.19345655-20036586

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_locker_tools-light_12.0.0.19345655-20036586
PRs Fixed	N/A
CVE numbers	N/A

Updates the tools-light VIB.

ESXi-7.0U3f-20036589-standard

Profile Name	ESXi-7.0U3f-20036589-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	July 12, 2022
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esxio-combiner_7.0.3-0.50.20036589 VMware_bootbank_esx-ui_1.43.8-19798623 VMware_bootbank_esx-xserver_7.0.3-0.50.20036589 VMware_bootbank_cpu-microcode_7.0.3-0.50.20036589 VMware_bootbank_trx_7.0.3-0.50.20036589 VMware_bootbank_vsanhealth_7.0.3-0.50.20036589 VMware_bootbank_esx-base_7.0.3-0.50.20036589 VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.50.20036589 VMware_bootbank_gc_7.0.3-0.50.20036589 VMware_bootbank_native-misc-drivers_7.0.3-0.50.20036589 VMware_bootbank_bmcal_7.0.3-0.50.20036589 VMware_bootbank_vsan_7.0.3-0.50.20036589 VMware_bootbank_vdfs_7.0.3-0.50.20036589 VMware_bootbank_crx_7.0.3-0.50.20036589 VMware_bootbank_esx-update_7.0.3-0.50.20036589 VMware_bootbank_loadesx_7.0.3-0.50.20036589 VMW_bootbank_bnxtroce_216.0.58.0-23vmw.703.0.50.20036589 VMW_bootbank_bnxtnet_216.0.50.0-44vmw.703.0.50.20036589 VMW_bootbank_lpfc_14.0.169.26-5vmw.703.0.50.20036589 VMware_bootbank_lsuv2-lsiv2-drivers-plugin_1.0.0-12vmw.703.0.50.20036589 VMW_bootbank_icen_1.4.1.20-1vmw.703.0.50.20036589 VMW_bootbank_irdman_1.3.1.22-1vmw.703.0.50.20036589 VMW_bootbank_ne1000_0.9.0-1vmw.703.0.50.20036589 VMW_bootbank_iser_1.1.0.1-1vmw.703.0.50.20036589 VMW_bootbank_vmkusb_0.1-7vmw.703.0.50.20036589 VMware_locker_tools-light_12.0.0.19345655-20036586
PRs Fixed	2916848, 2817702, 2937074, 2957732, 2984134, 2944807, 2985369, 2907963, 2949801, 2984245, 2915911, 2990593, 2992648, 2905357, 2980176, 2974472, 2974376, 2972059, 2973031, 2967359, 2860126, 2878245, 2876044, 2968157, 2960242, 2970238, 2966270, 2966783, 2963328, 2939395, 2966362, 2946550, 2958543, 2966628, 2961584, 2911056, 2965235, 2952427, 2963401, 2965146, 2963038, 2963479, 2949375, 2961033, 2958926, 2839515, 2951139, 2878224, 2954320, 2952432, 2961346, 2857932, 2960949, 2960882, 2957966, 2929443, 2956080, 2959293, 2944919, 2948800, 2928789, 2957769, 2928268, 2957062, 2792139, 2934102, 2953709, 2950686, 2953488, 2949446, 2955016, 2953217, 2956030, 2949902, 2944894, 2944521, 2911363, 2952205, 2894093, 2910856, 2953754, 2949777, 2925733, 2951234, 2915979, 2904241, 2935355, 2941263, 2912661, 2891231, 2928202, 2928268, 2867146, 2244126, 2912330, 2898858, 2906297, 2912213, 2910340, 2745800, 2912182, 2941274, 2912230, 2699748, 2882789, 2869031, 2913017, 2864375, 2929821, 2957673, 2921564, 2925133, 2965277
Related CVE numbers	N/A

This patch updates the following issues:
- pyVmomi calls to the vSphere EnvironmentBrowser.QueryConfigTargetEx API might fail with UnknownWsdlTypeError.
- The hardware health module of ESXi might fail to decode some sensors of the type System Event when a physical server is rebranded. As a result, in the vSphere Client you see status Unknown for sensors of type System Event under Monitor > Hardware Health.
- If you you set the vmx.reboot.powerCycle advanced setting on a virtual machine to TRUE, when the guest OS initiates a reboot, the virtual machine powers off and then powers on. However, if a power cycle occurs during a migration by using vSphere vMotion, the operation fails and the virtual machine on the source host might not power back on.
- If a socket experiences a connection failure while it is polled during the internal communication between UNIX domain sockets, a data race might occur. As a result, in some cases, the ESXi host might access an invalid memory region and fail with a purple diagnostic screen with #PF Exception 14, and errors such as UserDuct_PollSize() and UserSocketLocalPoll().
- If a hardware iSCSI adapter on an ESXi host in your environment uses pseudo NICs, you might not be able to create a host profile from such a host since pseudo NICs do not have the required PCI address and vendor name for a profile.
- Race conditions in the iscsi_vmk driver might cause stuck I/O operations or heartbeat timeouts on a VMFS datastore. As a result, you might see some virtual machines become unresponsive.
- Throughput with software iSCSI adapters is limited due to hardcoded send and receive buffer sizes, 600 KB for send and 256 KB for receive buffer, respectively. As a result, the performance of the iscsi_vmk adapter is not optimal.
- When multiple NVIDIA vGPU VMs power off simultaneously, occasionally some multi-instance GPU (MIG) resources are not destroyed. As a result, subsequent vGPU VM power on might fail due to the residual MIG resources.
- In rare cases, when a NFSv4.1 server returns a transient error during storage failover, you might see virtual machines to become unresponsive for 10 seconds before the operation restarts.
- In rare occasions, packet completion might not happen on the original port or portset, but on a different portset, which causes a loop that could corrupt the packet list with an invalid pointer. As a result, an ESXi host might fail with a purple diagnostic screen. In the logs, you see an error such as PF Exception 14 in world 61176327:nsx.cp.tx IP 0xxxxxx addr 0x3c.
- The memory in an ESXi host NUMA node might consist of multiple physical ranges. In ESXi releases earlier than 7.0 Update 3f, the memoryRangeBegin, memoryRangeLength field pair in NumaNodeInfo gives the starting host physical address and the length of one range in the NUMA node, ignoring any additional ranges.
- If you enable fast path on HPP for 512e Software Emulated 4KN devices, it does not work as expected, because the fast path does not handle Read-Modify-Write(R-M-W), which must use slow path. The use of fast path on 4KN devices is not supported.
- If you have a running VM with virtual disks larger than 1TB and you delete a snapshot of the disks on this VM, the VM might freeze for seconds or even minutes. The VM ultimately recovers but VM workloads might experience outages. The issue occurs because the delete operation triggers snapshot consolidation in the background that causes the delay. The issue is more likely to occur on slower storage, such as NFS.
- DVFilter packets might incorrectly be transferred to a network port, where the packet completion code fails to run. As a result, ESXi hosts fail with a purple diagnostic screen and the error PF Exception 14 Vmxnet3VMKDevTxCompleteOne E1000DevTxCompleteOneWork.
- In rare cases, DFW might send a packet list to the wrong portset. As a result, the VMkernel service might fail and virtual machines lose connectivity. In the vmkernel.log file, you see errors such as:
  2021-09-27T04:29:53.170Z cpu84:xxxx)NetPort: 206: Failure: lockModel[0] vs psWorldState->lockModel[0] there is no portset lock holding.
- Starting from vSphere 7.0 Update 2, HPP becomes the default plug-in for local NVMe and SCSI devices, and replaces the ESX Native Multipathing Plug-in (NMP). However, in some environments, the change from NMP to HPP makes some properties of devices claimed by HPP, such as Display Name, inaccessible.
- In an ALUA target, if the target port group IDs (TPGIDs) are changed for a LUN, the cached device identification response that SATP uses might not update accordingly. As a result, ESXi might not reflect the correct path states for the corresponding device.
- If you use the NVMe-SCSI translation stack to register NVMe devices in your system, the targetPortGroup and relativeTargetPortId properties get a controller ID of 0 for all paths. As a result, an RTPG command returns the same ALUA access state for all the paths of the namespace, because every path tpgID matches the first descriptor, which is 0.
- If the password for the File Service administrator is changed on the Active Directory server, the password in the vSAN File Service domain configuration might not match. If the passwords do not match or if the account is locked, some file shares might be inaccessible. vSAN health service shows the following warning: File Service: File server not found.
- When you reinstall an ESXi host after a failure, since the failed instance never reboots, stale bindings of VMDKs remain intact on the VASA provider and vSphere Virtual Volumes datastores. As a result, when you reinstall the host, you cannot delete the VMDKs due to the existing binding. Over time, many such VMDKs might accrue and consume idle storage space.
- In rare cases, a serial device on a virtual machine might not have a serial<N>.fileName property and the >serial<N>.autodetect property to be set to FALSE. As a result, the hostd service might repeatedly fail.
- In the vSphere Client, if you set any of the traffic shaping options, such as Average Bandwidth, Peak Bandwidth or Burst Size, to a value larger than 2147483 Kbps, the settings are not kept.
- Due to the low default number of file descriptors, some features such as vSphere vMotion might fail in VAAI for NAS environments after upgrade to ESXi 7.x, due to the insufficient number of vmdk files that can be operated simultaneously. You see errors such as Too many open files in the vaai-nas daemon logs in the syslog.log file.
- In rare cases, if a write I/O request runs in parallel with an unmap operation triggered by the guest OS on a thin-provisioned VM, a deadlock might occur in a VMFS6 volume. As a result, virtual machines on this volume become unresponsive.
- During vSphere Storage vMotion or hot-add operations on a virtual machine with more than 300 GB of memory, the switchover time can approach 2 minutes that causes a timeout failure.
- If you do not remove port binding after you delete a VMkernel NIC that is bound to an iSCSI adapter, the stale port binding might cause issues after an ESXi host reboot. During boot, binding of the non-existing VMkernel NIC to the iSCSI adapter fails and iSCSI configurations cannot restore during the boot. As a result, after the reboot completes, you might not see some LUNs or datastores.
- After a storage failover, the ESXi NFSv4.1 client might falsely identify the NFS server to be a different entity and skip recovery. As a result, the NFSv4.1 datastore remains in Inaccessible state.
- In some cases, such as temperature exceeding the threshold, an NVMe device might report a critical warning and the ESXi NVMe controller does not register the device, and puts it offline.
- A rare issue when the used block cache exceeds the reserved cache might cause reservation issues in the vSAN file service. As a result, you cannot reach some file shares and the health check shows the error VDFS daemon is not running. In the vdfsd-server log, you see errors such as:
  PANIC: NOT_IMPLEMENTED bora/vdfs/core/VDFSPhysicalLog.cpp:621
  PANIC: NOT_IMPLEMENTED bora/vdfs/core/VDFSPhysicalLog.cpp:626
- In rare cases, background search queries executed by vCenter Server on an ESXi host with access to the vmdk files of virtual machines exported to an OVF format might accidentally modify the files. As a result, you cannot import the virtual machines.
- Due to a component load issue, adding a multipathing PSA claim rule to the set of claim rules on a vCenter Server system by using the JumpStart tool might fail.
- After a controlled shutdown or booting of any server in a cluster of ESXi servers attached to an ALUA array, all LUNs to which that server has access might trespass to one storage processor on the array. As a result, performance of the other ESXi servers accessing the LUNs aggravates.
- In rare cases, when an ESXi host is under memory pressure, PSA does not handle memory allocation failures gracefully. As a result, the ESXi host might fail with a purple diagnostic screen with an error such as #PF Exception 14 in world 2098026:SCSI path sc IP / SCSI path scan helpers.
- If a running virtual machine reboots during a snapshot deletion operation, the VM disks might be incorrectly reopened and closed during the snapshot consolidation. As a result, the VM might fail. However, this is timing issue and occurs accidentally.
- During device discovery, a reservation conflict might cause ATS to be wrongly reported as not supported and due to this, ESXi uses SCSI-2 reservation instead of ATS. As a result, mounting VMFS6 datastores with enabled clustered VMDK support might randomly fail.
- Some operations can change the host UUID. For example, if you reinstall ESXi software or move the host across clusters, the host UUID might change. If the host UUID changes during vSAN file service downtime, then vSAN file service servers cannot boot.
- If you disable the vSAN file service with no existing file shares, vSAN removes the file service domain. A removal failure of one server might interrupt the process, and leave behind some metadata. When you reenable the file service, the old metadata might cause the file service to not work as expected.
- The Report Target Port Groups command might return a wrong value in the IMPLICIT TRANSITION TIME field, which affects the SCSI to NVMe translation layer. In cases such as multi appliance migration, the time for ALUA transition is critical for some multipathing software, for example PowerPath, to perform correct operations.
- Small-sized pending unmaps might be blocked when you reboot a host or remount a disk group. The pending unmaps can cause log congestion which leads to I/O latency.
- After the first upgrade or update of your system to ESXi 7.x, with each consecutive update, also called a patch, you might see a truncation in the path to the /productLocker directory on a datastore. For example, if your first patch on ESXi 7.x is from 7.0 Update 2 to 7.0 Update 3, the path to the /productLocker directory originally is similar to /vmfs/volumes/xxx/VMware-Tools/productLocker/. However, for each consecutive patch, for example from 7.0 Update 3 to 7.0 Update 3c, the path becomes similar to /VMware-Tools/productLocker/.
- In a vSAN stretched cluster or two-node cluster, quorum votes might not be distributed correctly for objects with PFTT of 1 and SFTT of 1 or more. If one site fails, and an additional host or disk fails on the active site, the object might lose quorum and become inaccessible.
- An object resize request might fail if the new size is not aligned to 512 bytes. This problem can cause an ESXi host to fail with a purple diagnostic screen.
- In some cases, for example when a virtual machine restarts, a running SSH session that the pktcap-uw utility uses to monitor and validate switch configurations on the ESXi host might be terminated, but the pktcap-uw utility might continue to try to process packets. As a result, the utility starts consuming more CPU than usual. You can use the esxtop -a command to track CPU performance.
- In vCenter Server running 7.0 Update 3, a certified NVMe device might have the following health check warning: NVMe device is not VMware certified. You might also see the following health check warning: NVMe device can not be identified.
- The ESXCLI command hardware ipmi bmc get does not return the IPv6 address of a BMC due to wrong parsing.
- If the witness host cannot be reached by cluster hosts, the vSAN cluster Shutdown wizard might fail for a stretched cluster or two-node clusters. The issue occurs when vSAN data traffic and witness traffic use different vmknics. In the vSphere Client. you see the following error message in the vSAN Services page: Disconnected host found from orch <witness's ip>. If vCenter is hosted on the cluster, the vSphere Client is not available during shutdown, and the error message is available in the Host Client where the vCenter VM resides.
- In the vSphere Client, when you right-click to browse a datastore, you might see the UUID of some virtual machines in a vSphere Virtual Volumes datastore, such as naa.xxxx, instead of their names. The issue rarely occurs in large-scale environments with a large number of containers and VMs on a vSphere Virtual Volumes datastore. The issue has no functional impact, such as affecting VM operations, backup, or anything than VM display in the vSphere Client.
- Due to a rare issue with the ESXi infrastructure, a slow VASA provider might lead to a situation where the vSphere Virtual Volumes datastores are inaccessible, and the ESXi host becomes unresponsive.
- In certain environments, when you shut down an ESXi host, it does not power off and you see a screen with the message This system has been halted. It is safe to use the reset or power button to reboot..
- The LargeBAR setting that extends the Base Address Register (BAR) on a vmxnet3 device supports the Uniform Passthrough (UPT). However, UPT is not supported on ESX 7.0 Update 3 and later, and if the vmxnet3 driver is downgraded to a version earlier than 7.0, and the LargeBAR setting is enabled, virtual machines might lose connectivity.
- If you hot remove independent nonpersistent disks from a virtual machine that has the vmx.reboot.PowerCycle configuration parameter enabled, ESXi stores a redo log file. If such a VM is a backup proxy VM, you might see a lot of redundant redo log files to take a significant amount of storage.
- In rare cases, when an ESXi host tries to access an uncached entry from a resource pool cache, the host intermittently fails with a PF Exception 14 purple diagnostic screen and a core dump file. In the dump file, you see errors for the J3_DeleteTransaction and J6ProcessReplayTxnList modules that indicate the issue.
- A rare issue with VMFS might cause high lock contention of hostd service threads, or even deadlocks, for basic filesystem calls such as open, access or rename. As a result, the ESXi host becomes unresponsive.
- Since the MD5 authentication protocol is deprecated from ESXi 7.x, if an ESXi SNMP agent configuration uses the MD5 authentication protocol, upgrades to ESXi 7.x fail.
- In ESXi 7.x, the Syslog.global.logHost parameter that defines a comma-delimited list of remote hosts and specifications for message transmissions, does not tolerate spaces after the comma. ESXi versions earlier than 7.x tolerate a space after the comma in the Syslog.global.logHost parameter. As a result, upgrades to ESXi 7.x might fail.
- An issue related to the use of the probabilistic data structure Bloom Filter that aims to optimize read I/O for VMs running on a snapshot, might cause a logical consistency-based I/O error when VM is running on snapshot. The issue is limited and occurs only if you run running SQL server on snapshot.
- An issue with the process that scans datastores to help file-block allocations for thin files might cause a CPU lockup in certain cases. As a result, the ESXi host might fail with a purple diagnostic screen with an error similar to PSOD - @BlueScreen: NMI.
- The log files of the hostd service might get an unusually high number of Task Created and Task Completed messages for invisible tasks, which in turn might reduce the log retention time.
- If a SCSI command to a protocol endpoint of a vSphere Virtual Volumes datastore fails, the endpoint might get an Unsupported status, which might be cached. As a result, following SCSI commands to that protocol endpoint fail with an error code such as 0x5 0x20, and read and write operations to a vSphere Virtual Volumes datastore fail.
- In some cases, such as port down error, ESXi hosts might lose connectivity to the NVMe controller although some IO queues are still active.
- If you replicate a virtual machine by using vSphere Replication, and the VM disk is increased to a number that is not 512-aligned, the VM cannot power on.
- If the number of CPUs that you define with the parameter ConfigSpec#numCPUs is not multiple to the number of core per socket that you define with in the parameter ConfigSpec#numCoresPerSocket in the configuration of a virtual machine, the VM does not power on.
- This problem affects hosts in stretched clusters with locality=None, HFT=0, SFT=1 or SFT=2 policy settings. When you place a host into maintenance mode with Ensure Accessibility, the operation might stay at 100% for a long time or fail after 60 min.
- After you upgrade an ESXi host to 7.0 Update 2, you might notice frequent vSAN network latency alarms on the cluster when vSAN performance service is enabled. The latency results show that most of the alarms are issued by the vSAN primary node.
- Due to a change in the default admin queue size for NVMe over RDMA controllers in ESXi 7.0 Update 3c, updates from ESXi 7.0, 7.0 Update 1 or 7.0 Update 2 to 7.0 Update 3c might cause NVMe over RDMA storage to become inaccessible.
- Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off or migrate by using vSphere vMotion. The issue occurs due to duplicating port IDs.
- ESXi hosts might lose access to Unity storage arrays after upgrading the lpfc driver to 14.0.x.x. You see errors such as protocol failure detected during processing of FCP I/O and rspInfo3 x2 in the driver logs.
- For LSI-related drivers, when an ESXi server boots up, if you plug out a disk and plug it in another slot on the same host, changes in the disk location might take long to become visible from the vSphere Client or by using the ESXCLI command esxcli storage core device physical get -d. The issue is specific to drivers with many disks connected to the driver, 150 and more, and is resolved within 5 minutes.
- With ESXi 7.0 Update 3f, the Intel-icen driver supports networking functions on E822/E823 NICs for Intel Icelake-D platforms. ENS (Enhanced Network Stack) and RDMA functions on such devices are not supported.
- ESXi 7.0 Update 3f upgrades the Intel-ne1000 driver to support Intel I219-LM devices that are required for newer server models, such as the Intel Rocket Lake-S platform. The TCP segmentation offload for the I219 devices is deactivated because of known issues in the hardware DMA.
- A very rare null pointer error issue might cause ESXi hosts on IBM FlashSystem V9000 arrays to fail with a purple diagnostic screen and an error such as #PF Exception 14 in world 2098414:CqWorld IP 0xxxxx addr 0xxxx.
- When you disable or suspend vSphere FT, virtual machines might temporarily lose connectivity and not respond to pinging or any network traffic. Pinging virtual machines might time out consecutively within a short period, such as 20 sec.
- Under certain conditions, such as increasing page-sharing or disabling the use of large pages at VM or ESXi host level, you might see CPU utilization of Windows VBS-enabled VMs to reach up to 100%.

ESXi-7.0U3f-20036589-no-tools

Profile Name	ESXi-7.0U3f-20036589-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	July 12, 2022
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esxio-combiner_7.0.3-0.50.20036589 VMware_bootbank_esx-ui_1.43.8-19798623 VMware_bootbank_esx-xserver_7.0.3-0.50.20036589 VMware_bootbank_cpu-microcode_7.0.3-0.50.20036589 VMware_bootbank_trx_7.0.3-0.50.20036589 VMware_bootbank_vsanhealth_7.0.3-0.50.20036589 VMware_bootbank_esx-base_7.0.3-0.50.20036589 VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.50.20036589 VMware_bootbank_gc_7.0.3-0.50.20036589 VMware_bootbank_native-misc-drivers_7.0.3-0.50.20036589 VMware_bootbank_bmcal_7.0.3-0.50.20036589 VMware_bootbank_vsan_7.0.3-0.50.20036589 VMware_bootbank_vdfs_7.0.3-0.50.20036589 VMware_bootbank_crx_7.0.3-0.50.20036589 VMware_bootbank_esx-update_7.0.3-0.50.20036589 VMware_bootbank_loadesx_7.0.3-0.50.20036589 VMW_bootbank_bnxtroce_216.0.58.0-23vmw.703.0.50.20036589 VMW_bootbank_bnxtnet_216.0.50.0-44vmw.703.0.50.20036589 VMW_bootbank_lpfc_14.0.169.26-5vmw.703.0.50.20036589 VMware_bootbank_lsuv2-lsiv2-drivers-plugin_1.0.0-12vmw.703.0.50.20036589 VMW_bootbank_icen_1.4.1.20-1vmw.703.0.50.20036589 VMW_bootbank_irdman_1.3.1.22-1vmw.703.0.50.20036589 VMW_bootbank_ne1000_0.9.0-1vmw.703.0.50.20036589 VMW_bootbank_iser_1.1.0.1-1vmw.703.0.50.20036589 VMW_bootbank_vmkusb_0.1-7vmw.703.0.50.20036589 VMware_locker_tools-light_12.0.0.19345655-20036586
PRs Fixed	2916848, 2817702, 2937074, 2957732, 2984134, 2944807, 2985369, 2907963, 2949801, 2984245, 2915911, 2990593, 2992648, 2905357, 2980176, 2974472, 2974376, 2972059, 2973031, 2967359, 2860126, 2878245, 2876044, 2968157, 2960242, 2970238, 2966270, 2966783, 2963328, 2939395, 2966362, 2946550, 2958543, 2966628, 2961584, 2911056, 2965235, 2952427, 2963401, 2965146, 2963038, 2963479, 2949375, 2961033, 2958926, 2839515, 2951139, 2878224, 2954320, 2952432, 2961346, 2857932, 2960949, 2960882, 2957966, 2929443, 2956080, 2959293, 2944919, 2948800, 2928789, 2957769, 2928268, 2957062, 2792139, 2934102, 2953709, 2950686, 2953488, 2949446, 2955016, 2953217, 2956030, 2949902, 2944894, 2944521, 2911363, 2952205, 2894093, 2910856, 2953754, 2949777, 2925733, 2951234, 2915979, 2904241, 2935355, 2941263, 2912661, 2891231, 2928202, 2928268, 2867146, 2244126, 2912330, 2898858, 2906297, 2912213, 2910340, 2745800, 2912182, 2941274, 2912230, 2699748, 2882789, 2869031, 2913017, 2864375, 2929821, 2957673, 2921564, 2925133, 2965277
Related CVE numbers	N/A

This patch updates the following issues:
- pyVmomi calls to the vSphere EnvironmentBrowser.QueryConfigTargetEx API might fail with UnknownWsdlTypeError.
- The hardware health module of ESXi might fail to decode some sensors of the type System Event when a physical server is rebranded. As a result, in the vSphere Client you see status Unknown for sensors of type System Event under Monitor > Hardware Health.
- If you you set the vmx.reboot.powerCycle advanced setting on a virtual machine to TRUE, when the guest OS initiates a reboot, the virtual machine powers off and then powers on. However, if a power cycle occurs during a migration by using vSphere vMotion, the operation fails and the virtual machine on the source host might not power back on.
- If a socket experiences a connection failure while it is polled during the internal communication between UNIX domain sockets, a data race might occur. As a result, in some cases, the ESXi host might access an invalid memory region and fail with a purple diagnostic screen with #PF Exception 14, and errors such as UserDuct_PollSize() and UserSocketLocalPoll().
- If a hardware iSCSI adapter on an ESXi host in your environment uses pseudo NICs, you might not be able to create a host profile from such a host since pseudo NICs do not have the required PCI address and vendor name for a profile.
- Race conditions in the iscsi_vmk driver might cause stuck I/O operations or heartbeat timeouts on a VMFS datastore. As a result, you might see some virtual machines become unresponsive.
- Throughput with software iSCSI adapters is limited due to hardcoded send and receive buffer sizes, 600 KB for send and 256 KB for receive buffer, respectively. As a result, the performance of the iscsi_vmk adapter is not optimal.
- When multiple NVIDIA vGPU VMs power off simultaneously, occasionally some multi-instance GPU (MIG) resources are not destroyed. As a result, subsequent vGPU VM power on might fail due to the residual MIG resources.
- In rare cases, when a NFSv4.1 server returns a transient error during storage failover, you might see virtual machines to become unresponsive for 10 seconds before the operation restarts.
- In rare occasions, packet completion might not happen on the original port or portset, but on a different portset, which causes a loop that could corrupt the packet list with an invalid pointer. As a result, an ESXi host might fail with a purple diagnostic screen. In the logs, you see an error such as PF Exception 14 in world 61176327:nsx.cp.tx IP 0xxxxxx addr 0x3c.
- The memory in an ESXi host NUMA node might consist of multiple physical ranges. In ESXi releases earlier than 7.0 Update 3f, the memoryRangeBegin, memoryRangeLength field pair in NumaNodeInfo gives the starting host physical address and the length of one range in the NUMA node, ignoring any additional ranges.
- If you enable fast path on HPP for 512e Software Emulated 4KN devices, it does not work as expected, because the fast path does not handle Read-Modify-Write(R-M-W), which must use slow path. The use of fast path on 4KN devices is not supported.
- If you have a running VM with virtual disks larger than 1TB and you delete a snapshot of the disks on this VM, the VM might freeze for seconds or even minutes. The VM ultimately recovers but VM workloads might experience outages. The issue occurs because the delete operation triggers snapshot consolidation in the background that causes the delay. The issue is more likely to occur on slower storage, such as NFS.
- DVFilter packets might incorrectly be transferred to a network port, where the packet completion code fails to run. As a result, ESXi hosts fail with a purple diagnostic screen and the error PF Exception 14 Vmxnet3VMKDevTxCompleteOne E1000DevTxCompleteOneWork.
- In rare cases, DFW might send a packet list to the wrong portset. As a result, the VMkernel service might fail and virtual machines lose connectivity. In the vmkernel.log file, you see errors such as:
  2021-09-27T04:29:53.170Z cpu84:xxxx)NetPort: 206: Failure: lockModel[0] vs psWorldState->lockModel[0] there is no portset lock holding.
- Starting from vSphere 7.0 Update 2, HPP becomes the default plug-in for local NVMe and SCSI devices, and replaces the ESX Native Multipathing Plug-in (NMP). However, in some environments, the change from NMP to HPP makes some properties of devices claimed by HPP, such as Display Name, inaccessible.
- In an ALUA target, if the target port group IDs (TPGIDs) are changed for a LUN, the cached device identification response that SATP uses might not update accordingly. As a result, ESXi might not reflect the correct path states for the corresponding device.
- If you use the NVMe-SCSI translation stack to register NVMe devices in your system, the targetPortGroup and relativeTargetPortId properties get a controller ID of 0 for all paths. As a result, an RTPG command returns the same ALUA access state for all the paths of the namespace, because every path tpgID matches the first descriptor, which is 0.
- If the password for the File Service administrator is changed on the Active Directory server, the password in the vSAN File Service domain configuration might not match. If the passwords do not match or if the account is locked, some file shares might be inaccessible. vSAN health service shows the following warning: File Service: File server not found.
- When you reinstall an ESXi host after a failure, since the failed instance never reboots, stale bindings of VMDKs remain intact on the VASA provider and vSphere Virtual Volumes datastores. As a result, when you reinstall the host, you cannot delete the VMDKs due to the existing binding. Over time, many such VMDKs might accrue and consume idle storage space.
- In rare cases, a serial device on a virtual machine might not have a serial<N>.fileName property and the >serial<N>.autodetect property to be set to FALSE. As a result, the hostd service might repeatedly fail.
- In the vSphere Client, if you set any of the traffic shaping options, such as Average Bandwidth, Peak Bandwidth or Burst Size, to a value larger than 2147483 Kbps, the settings are not kept.
- Due to the low default number of file descriptors, some features such as vSphere vMotion might fail in VAAI for NAS environments after upgrade to ESXi 7.x, due to the insufficient number of vmdk files that can be operated simultaneously. You see errors such as Too many open files in the vaai-nas daemon logs in the syslog.log file.
- In rare cases, if a write I/O request runs in parallel with an unmap operation triggered by the guest OS on a thin-provisioned VM, a deadlock might occur in a VMFS6 volume. As a result, virtual machines on this volume become unresponsive.
- During vSphere Storage vMotion or hot-add operations on a virtual machine with more than 300 GB of memory, the switchover time can approach 2 minutes that causes a timeout failure.
- If you do not remove port binding after you delete a VMkernel NIC that is bound to an iSCSI adapter, the stale port binding might cause issues after an ESXi host reboot. During boot, binding of the non-existing VMkernel NIC to the iSCSI adapter fails and iSCSI configurations cannot restore during the boot. As a result, after the reboot completes, you might not see some LUNs or datastores.
- After a storage failover, the ESXi NFSv4.1 client might falsely identify the NFS server to be a different entity and skip recovery. As a result, the NFSv4.1 datastore remains in Inaccessible state.
- In some cases, such as temperature exceeding the threshold, an NVMe device might report a critical warning and the ESXi NVMe controller does not register the device, and puts it offline.
- A rare issue when the used block cache exceeds the reserved cache might cause reservation issues in the vSAN file service. As a result, you cannot reach some file shares and the health check shows the error VDFS daemon is not running. In the vdfsd-server log, you see errors such as:
  PANIC: NOT_IMPLEMENTED bora/vdfs/core/VDFSPhysicalLog.cpp:621
  PANIC: NOT_IMPLEMENTED bora/vdfs/core/VDFSPhysicalLog.cpp:626
- In rare cases, background search queries executed by vCenter Server on an ESXi host with access to the vmdk files of virtual machines exported to an OVF format might accidentally modify the files. As a result, you cannot import the virtual machines.
- Due to a component load issue, adding a multipathing PSA claim rule to the set of claim rules on a vCenter Server system by using the JumpStart tool might fail.
- After a controlled shutdown or booting of any server in a cluster of ESXi servers attached to an ALUA array, all LUNs to which that server has access might trespass to one storage processor on the array. As a result, performance of the other ESXi servers accessing the LUNs aggravates.
- In rare cases, when an ESXi host is under memory pressure, PSA does not handle memory allocation failures gracefully. As a result, the ESXi host might fail with a purple diagnostic screen with an error such as #PF Exception 14 in world 2098026:SCSI path sc IP / SCSI path scan helpers.
- If a running virtual machine reboots during a snapshot deletion operation, the VM disks might be incorrectly reopened and closed during the snapshot consolidation. As a result, the VM might fail. However, this is timing issue and occurs accidentally.
- During device discovery, a reservation conflict might cause ATS to be wrongly reported as not supported and due to this, ESXi uses SCSI-2 reservation instead of ATS. As a result, mounting VMFS6 datastores with enabled clustered VMDK support might randomly fail.
- Some operations can change the host UUID. For example, if you reinstall ESXi software or move the host across clusters, the host UUID might change. If the host UUID changes during vSAN file service downtime, then vSAN file service servers cannot boot.
- If you disable the vSAN file service with no existing file shares, vSAN removes the file service domain. A removal failure of one server might interrupt the process, and leave behind some metadata. When you reenable the file service, the old metadata might cause the file service to not work as expected.
- The Report Target Port Groups command might return a wrong value in the IMPLICIT TRANSITION TIME field, which affects the SCSI to NVMe translation layer. In cases such as multi appliance migration, the time for ALUA transition is critical for some multipathing software, for example PowerPath, to perform correct operations.
- Small-sized pending unmaps might be blocked when you reboot a host or remount a disk group. The pending unmaps can cause log congestion which leads to I/O latency.
- After the first upgrade or update of your system to ESXi 7.x, with each consecutive update, also called a patch, you might see a truncation in the path to the /productLocker directory on a datastore. For example, if your first patch on ESXi 7.x is from 7.0 Update 2 to 7.0 Update 3, the path to the /productLocker directory originally is similar to /vmfs/volumes/xxx/VMware-Tools/productLocker/. However, for each consecutive patch, for example from 7.0 Update 3 to 7.0 Update 3c, the path becomes similar to /VMware-Tools/productLocker/.
- In a vSAN stretched cluster or two-node cluster, quorum votes might not be distributed correctly for objects with PFTT of 1 and SFTT of 1 or more. If one site fails, and an additional host or disk fails on the active site, the object might lose quorum and become inaccessible.
- An object resize request might fail if the new size is not aligned to 512 bytes. This problem can cause an ESXi host to fail with a purple diagnostic screen.
- In some cases, for example when a virtual machine restarts, a running SSH session that the pktcap-uw utility uses to monitor and validate switch configurations on the ESXi host might be terminated, but the pktcap-uw utility might continue to try to process packets. As a result, the utility starts consuming more CPU than usual. You can use the esxtop -a command to track CPU performance.
- In vCenter Server running 7.0 Update 3, a certified NVMe device might have the following health check warning: NVMe device is not VMware certified. You might also see the following health check warning: NVMe device can not be identified.
- The ESXCLI command hardware ipmi bmc get does not return the IPv6 address of a BMC due to wrong parsing.
- If the witness host cannot be reached by cluster hosts, the vSAN cluster Shutdown wizard might fail for a stretched cluster or two-node clusters. The issue occurs when vSAN data traffic and witness traffic use different vmknics. In the vSphere Client. you see the following error message in the vSAN Services page: Disconnected host found from orch <witness's ip>. If vCenter is hosted on the cluster, the vSphere Client is not available during shutdown, and the error message is available in the Host Client where the vCenter VM resides.
- In the vSphere Client, when you right-click to browse a datastore, you might see the UUID of some virtual machines in a vSphere Virtual Volumes datastore, such as naa.xxxx, instead of their names. The issue rarely occurs in large-scale environments with a large number of containers and VMs on a vSphere Virtual Volumes datastore. The issue has no functional impact, such as affecting VM operations, backup, or anything than VM display in the vSphere Client.
- Due to a rare issue with the ESXi infrastructure, a slow VASA provider might lead to a situation where the vSphere Virtual Volumes datastores are inaccessible, and the ESXi host becomes unresponsive.
- In certain environments, when you shut down an ESXi host, it does not power off and you see a screen with the message This system has been halted. It is safe to use the reset or power button to reboot..
- The LargeBAR setting that extends the Base Address Register (BAR) on a vmxnet3 device supports the Uniform Passthrough (UPT). However, UPT is not supported on ESX 7.0 Update 3 and later, and if the vmxnet3 driver is downgraded to a version earlier than 7.0, and the LargeBAR setting is enabled, virtual machines might lose connectivity.
- If you hot remove independent nonpersistent disks from a virtual machine that has the vmx.reboot.PowerCycle configuration parameter enabled, ESXi stores a redo log file. If such a VM is a backup proxy VM, you might see a lot of redundant redo log files to take a significant amount of storage.
- In rare cases, when an ESXi host tries to access an uncached entry from a resource pool cache, the host intermittently fails with a PF Exception 14 purple diagnostic screen and a core dump file. In the dump file, you see errors for the J3_DeleteTransaction and J6ProcessReplayTxnList modules that indicate the issue.
- A rare issue with VMFS might cause high lock contention of hostd service threads, or even deadlocks, for basic filesystem calls such as open, access or rename. As a result, the ESXi host becomes unresponsive.
- Since the MD5 authentication protocol is deprecated from ESXi 7.x, if an ESXi SNMP agent configuration uses the MD5 authentication protocol, upgrades to ESXi 7.x fail.
- In ESXi 7.x, the Syslog.global.logHost parameter that defines a comma-delimited list of remote hosts and specifications for message transmissions, does not tolerate spaces after the comma. ESXi versions earlier than 7.x tolerate a space after the comma in the Syslog.global.logHost parameter. As a result, upgrades to ESXi 7.x might fail.
- An issue related to the use of the probabilistic data structure Bloom Filter that aims to optimize read I/O for VMs running on a snapshot, might cause a logical consistency-based I/O error when VM is running on snapshot. The issue is limited and occurs only if you run running SQL server on snapshot.
- An issue with the process that scans datastores to help file-block allocations for thin files might cause a CPU lockup in certain cases. As a result, the ESXi host might fail with a purple diagnostic screen with an error similar to PSOD - @BlueScreen: NMI.
- The log files of the hostd service might get an unusually high number of Task Created and Task Completed messages for invisible tasks, which in turn might reduce the log retention time.
- If a SCSI command to a protocol endpoint of a vSphere Virtual Volumes datastore fails, the endpoint might get an Unsupported status, which might be cached. As a result, following SCSI commands to that protocol endpoint fail with an error code such as 0x5 0x20, and read and write operations to a vSphere Virtual Volumes datastore fail.
- In some cases, such as port down error, ESXi hosts might lose connectivity to the NVMe controller although some IO queues are still active.
- If you replicate a virtual machine by using vSphere Replication, and the VM disk is increased to a number that is not 512-aligned, the VM cannot power on.
- If the number of CPUs that you define with the parameter ConfigSpec#numCPUs is not multiple to the number of core per socket that you define with in the parameter ConfigSpec#numCoresPerSocket in the configuration of a virtual machine, the VM does not power on.
- This problem affects hosts in stretched clusters with locality=None, HFT=0, SFT=1 or SFT=2 policy settings. When you place a host into maintenance mode with Ensure Accessibility, the operation might stay at 100% for a long time or fail after 60 min.
- After you upgrade an ESXi host to 7.0 Update 2, you might notice frequent vSAN network latency alarms on the cluster when vSAN performance service is enabled. The latency results show that most of the alarms are issued by the vSAN primary node.
- Due to a change in the default admin queue size for NVMe over RDMA controllers in ESXi 7.0 Update 3c, updates from ESXi 7.0, 7.0 Update 1 or 7.0 Update 2 to 7.0 Update 3c might cause NVMe over RDMA storage to become inaccessible.
- Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off or migrate by using vSphere vMotion. The issue occurs due to duplicating port IDs.
- ESXi hosts might lose access to Unity storage arrays after upgrading the lpfc driver to 14.0.x.x. You see errors such as protocol failure detected during processing of FCP I/O and rspInfo3 x2 in the driver logs.
- For LSI-related drivers, when an ESXi server boots up, if you plug out a disk and plug it in another slot on the same host, changes in the disk location might take long to become visible from the vSphere Client or by using the ESXCLI command esxcli storage core device physical get -d. The issue is specific to drivers with many disks connected to the driver, 150 and more, and is resolved within 5 minutes.
- With ESXi 7.0 Update 3f, the Intel-icen driver supports networking functions on E822/E823 NICs for Intel Icelake-D platforms. ENS (Enhanced Network Stack) and RDMA functions on such devices are not supported.
- ESXi 7.0 Update 3f upgrades the Intel-ne1000 driver to support Intel I219-LM devices that are required for newer server models, such as the Intel Rocket Lake-S platform. The TCP segmentation offload for the I219 devices is deactivated because of known issues in the hardware DMA.
- A very rare null pointer error issue might cause ESXi hosts on IBM FlashSystem V9000 arrays to fail with a purple diagnostic screen and an error such as #PF Exception 14 in world 2098414:CqWorld IP 0xxxxx addr 0xxxx.
- When you disable or suspend vSphere FT, virtual machines might temporarily lose connectivity and not respond to pinging or any network traffic. Pinging virtual machines might time out consecutively within a short period, such as 20 sec.
- Under certain conditions, such as increasing page-sharing or disabling the use of large pages at VM or ESXi host level, you might see CPU utilization of Windows VBS-enabled VMs to reach up to 100%.

ESXi-7.0U3sf-20036586-standard

Profile Name	ESXi-7.0U3sf-20036586-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	July 12, 2022
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_native-misc-drivers_7.0.3-0.45.20036586 VMware_bootbank_bmcal_7.0.3-0.45.20036586 VMware_bootbank_esx-ui_1.43.8-19798623 VMware_bootbank_vsanhealth_7.0.3-0.45.20036586 VMware_bootbank_esxio-combiner_7.0.3-0.45.20036586 VMware_bootbank_esx-xserver_7.0.3-0.45.20036586 VMware_bootbank_trx_7.0.3-0.45.20036586 VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.45.20036586 VMware_bootbank_vdfs_7.0.3-0.45.20036586 VMware_bootbank_vsan_7.0.3-0.45.20036586 VMware_bootbank_cpu-microcode_7.0.3-0.45.20036586 VMware_bootbank_esx-base_7.0.3-0.45.20036586 VMware_bootbank_gc_7.0.3-0.45.20036586 VMware_bootbank_crx_7.0.3-0.45.20036586 VMware_bootbank_esx-update_7.0.3-0.45.20036586 VMware_bootbank_loadesx_7.0.3-0.45.20036586 VMware_locker_tools-light_12.0.0.19345655-20036586
PRs Fixed	2920287, 2946147, 2946217, 2946222, 2946671, 2946863, 2947156, 2951864, 2951866, 2972147, 2972151, 2816546
Related CVE numbers	CVE-2004-0230, CVE-2020-7451, CVE-2015-2923, CVE-2015-5358, CVE-2013-3077, CVE-2015-1414, CVE-2018-6918, CVE-2020-7469, CVE-2019-5611, CVE-2020-7457, CVE-2018-6916, CVE-2019-5608, CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, CVE-2022-29901

This patch updates the following issues:
- - The Expat XML parser is updated to version 2.4.7.
  - The SQLite database is updated to version 3.37.2.
  - The cURL library is updated to version 7.81.0.
  - The OpenSSL package is updated to version openssl-1.0.2ze.
  - The ESXi userworld libxml2 library is updated to version 2.9.14.
  - The Python package is updated to 3.8.13.
  - The zlib library is updated to 1.2.12.
  - This release resolves CVE-2004-0230. VMware has evaluated the severity of this issue to be in the low severity range with a maximum CVSSv3 base score of 3.7.
  - This release resolves CVE-2020-7451. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.
  - This release resolves CVE-2015-2923. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.5.
  - This release resolves CVE-2015-5358. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.5.
  - This release resolves CVE-2013-3077. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.0.
  - This release resolves CVE-2015-1414. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2018-6918. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2020-7469. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2019-5611. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2020-7457. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.8.
  - This release resolves CVE-2018-6916. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.1.
  - This release resolves CVE-2019-5608. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.1.
- This release resolves CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, and CVE-2022-29901. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2022-0020.

ESXi-7.0U3sf-20036586-no-tools

Profile Name	ESXi-7.0U3sf-20036586-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	July 12, 2022
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_native-misc-drivers_7.0.3-0.45.20036586 VMware_bootbank_bmcal_7.0.3-0.45.20036586 VMware_bootbank_esx-ui_1.43.8-19798623 VMware_bootbank_vsanhealth_7.0.3-0.45.20036586 VMware_bootbank_esxio-combiner_7.0.3-0.45.20036586 VMware_bootbank_esx-xserver_7.0.3-0.45.20036586 VMware_bootbank_trx_7.0.3-0.45.20036586 VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.45.20036586 VMware_bootbank_vdfs_7.0.3-0.45.20036586 VMware_bootbank_vsan_7.0.3-0.45.20036586 VMware_bootbank_cpu-microcode_7.0.3-0.45.20036586 VMware_bootbank_esx-base_7.0.3-0.45.20036586 VMware_bootbank_gc_7.0.3-0.45.20036586 VMware_bootbank_crx_7.0.3-0.45.20036586 VMware_bootbank_esx-update_7.0.3-0.45.20036586 VMware_bootbank_loadesx_7.0.3-0.45.20036586
PRs Fixed	2920287, 2946147, 2946217, 2946222, 2946671, 2946863, 2947156, 2951864, 2951866, 2972147, 2972151, 2816546
Related CVE numbers	CVE-2004-0230, CVE-2020-7451, CVE-2015-2923, CVE-2015-5358, CVE-2013-3077, CVE-2015-1414, CVE-2018-6918, CVE-2020-7469, CVE-2019-5611, CVE-2020-7457, CVE-2018-6916, CVE-2019-5608, CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, CVE-2022-29901

This patch updates the following issues:
- - The Expat XML parser is updated to version 2.4.7.
  - The SQLite database is updated to version 3.37.2.
  - The cURL library is updated to version 7.81.0.
  - The OpenSSL package is updated to version openssl-1.0.2ze.
  - The ESXi userworld libxml2 library is updated to version 2.9.14.
  - The Python package is updated to 3.8.13.
  - The zlib library is updated to 1.2.12.
  - This release resolves CVE-2004-0230. VMware has evaluated the severity of this issue to be in the low severity range with a maximum CVSSv3 base score of 3.7.
  - This release resolves CVE-2020-7451. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.
  - This release resolves CVE-2015-2923. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.5.
  - This release resolves CVE-2015-5358. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.5.
  - This release resolves CVE-2013-3077. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.0.
  - This release resolves CVE-2015-1414. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2018-6918. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2020-7469. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2019-5611. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.
  - This release resolves CVE-2020-7457. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.8.
  - This release resolves CVE-2018-6916. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.1.
  - This release resolves CVE-2019-5608. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.1.
- This release resolves CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, and CVE-2022-29901. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2022-0020.

ESXi Image - ESXi70U3f-20036589

Name	ESXi
Version	ESXi70U3f-20036589
Release Date	July 12, 2022
Category	Bugfix
Affected Components	ESXi Component - core ESXi VIBs ESXi Install/Upgrade Component Broadcom NetXtreme-E Network and ROCE/RDMA Drivers for VMware ESXi Network driver for Intel(R) E810 Adapters Network driver for Intel(R) X722 and E810 based RDMA Adapters VMware Native iSER Driver Broadcom Emulex Connectivity Division lpfc driver for FC adapters LSI NATIVE DRIVERS LSU Management Plugin Networking Driver for Intel PRO/1000 Family Adapters USB Driver
PRs Fixed	2916848, 2817702, 2937074, 2957732, 2984134, 2944807, 2985369, 2907963, 2949801, 2984245, 2911320 , 2915911, 2990593, 2992648, 2905357, 2980176, 2974472, 2974376, 2972059, 2973031, 2967359, 2860126, 2878245, 2876044, 2968157, 2960242, 2970238, 2966270, 2966783, 2963328, 2939395, 2966362, 2946550, 2958543, 2966628, 2961584, 2911056, 2965235, 2952427, 2963401, 2965146, 2963038, 2963479, 2949375, 2961033, 2958926, 2839515, 2951139, 2878224, 2954320, 2952432, 2961346, 2857932, 2960949, 2960882, 2957966, 2929443, 2956080, 2959293, 2944919, 2948800, 2928789, 2957769, 2928268, 2957062, 2792139, 2934102, 2953709, 2950686, 2953488, 2949446, 2955016, 2953217, 2956030, 2949902, 2944894, 2944521, 2911363, 2952205, 2894093, 2910856, 2953754, 2949777, 2925733, 2951234, 2915979, 2904241, 2935355, 2941263, 2912661, 2891231, 2928202, 2928268, 2867146, 2244126, 2912330, 2898858, 2906297, 2912213, 2910340, 2745800, 2912182, 2941274, 2912230, 2699748, 2882789, 2869031, 2913017, 2864375, 2929821, 2957673, 2921564, 2925133, 2965277, 2980176
Related CVE numbers	N/A

ESXi Image - ESXi70U3sf-20036586

Name	ESXi
Version	ESXi70U3sf-20036586
Release Date	July 12, 2022
Category	Security
Affected Components	ESXi Component - core ESXi VIBs ESXi Install/Upgrade Component VMware-VM-Tools
PRs Fixed	2920287, 2946147, 2946217, 2946222, 2946671, 2946863, 2947156, 2951864, 2951866, 2972147, 2972151
Related CVE numbers	CVE-2004-0230, CVE-2020-7451, CVE-2015-2923, CVE-2015-5358, CVE-2013-3077, CVE-2015-1414, CVE-2018-6918, CVE-2020-7469, CVE-2019-5611, CVE-2020-7457, CVE-2018-6916, CVE-2019-5608, CVE-2022-23816, CVE-2022-23825, CVE-2022-28693, CVE-2022-29901

Known Issues

The known issues are grouped as follows.

vSphere Client Issues
Miscellaneous Issues
Known Issues from Previous Releases

vSphere Client Issues

BIOS manufacturer displays as "--" in the vSphere Client
In the vSphere Client, when you select an ESXi host and navigate to Configure > Hardware > Firmware, you see -- instead of the BIOS manufacturer name.

Workaround: For more information, see VMware knowledge base article 88937.

Miscellaneous Issues

USB device passthrough from ESXi hosts to virtual machines might fail
A USB modem device might simultaneously claim multiple interfaces by the VMkernel and block the device passthrough to VMs.
Workaround: You must apply the USB.quirks advanced configuration on the ESXi host to ignore the NET interface from VMkernel and allow the USB modem to passthrough to VMs. You can apply the configuration in 3 alternative ways:
1. Access the ESXi shell and run the following command: esxcli system settings advanced set -o /USB/quirks -s 0xvvvv:0xpppp:0:0xffff:UQ_NET_IGNORE | |- Device Product ID |------- Device Vendor ID
  For example, for the Gemalto M2M GmbH Zoom 4625 Modem(vid:pid/1e2d:005b), you can have the command
  esxcli system settings advanced set -o /USB/quirks -s 0x1e2d:0x005b:0:0xffff:UQ_NET_IGNORE
  Reboot the ESXi host.
2. Set the advanced configuration from the vSphere Client or the vSphere Web Client and reboot the ESXi host.
3. Use a Host Profile to apply the advanced configuration.
For more information on the steps, see VMware knowledge base article 80416.

Known Issues from Previous Releases

To view a list of previous known issues, click here.

The earlier known issues are grouped as follows.

vSAN Issues
vSphere Cluster Services Issues
Installation, Upgrade, and Migration Issues
Security Features Issues
Networking Issues
Storage Issues
vCenter Server and vSphere Client Issues
Virtual Machine Management Issues
vSphere HA and Fault Tolerance Issues
vSphere Lifecycle Manager Issues
Miscellaneous Issues

vSAN Issues

If you change the preferred site in a VMware vSAN Stretched Cluster, some objects might incorrectly appear as compliant
If you change the preferred site in a stretched cluster, some objects might incorrectly appear as compliant, because their policy settings might not automatically change. For example, if you configure a virtual machine to keep data at the preferred site, when you change the preferred site, data might remain on the nonpreferred site.

Workaround: Before you change a preferred site, in Advanced Settings, lower the ClomMaxCrawlCycleMinutes setting to 15 min to make sure objects policies are updated. After the change, revert the ClomMaxCrawlCycleMinutes option to the earlier value.

vSphere Cluster Services Issues

You see compatibility issues in new vCLS VMs deployed in vSphere 7.0 Update 3 environment
The default name for new vCLS VMs deployed in vSphere 7.0 Update 3 environment uses the pattern vCLS-UUID. vCLS VMs created in earlier vCenter Server versions continue to use the pattern vCLS (n). Since the use of parenthesis () is not supported by many solutions that interoperate with vSphere, you might see compatibility issues.

Workaround: Reconfigure vCLS by using retreat mode after updating to vSphere 7.0 Update 3.

Installation, Upgrade, and Migration Issues

The vCenter Upgrade/Migration pre-checks fail with "Unexpected error 87"
The vCenter Server Upgrade/Migration pre-checks fail when the Security Token Service (STS) certificate does not contain a Subject Alternative Name (SAN) field. This situation occurs when you have replaced the vCenter 5.5 Single Sign-On certificate with a custom certificate that has no SAN field, and you attempt to upgrade to vCenter Server 7.0. The upgrade considers the STS certificate invalid and the pre-checks prevent the upgrade process from continuing.

Workaround: Replace the STS certificate with a valid certificate that contains a SAN field then proceed with the vCenter Server 7.0 Upgrade/Migration.
Problems upgrading to vSphere 7.0 with pre-existing CIM providers
After upgrade, previously installed 32-bit CIM providers stop working because ESXi requires 64-bit CIM providers. Customers may lose management API functions related to CIMPDK, NDDK (native DDK), HEXDK, VAIODK (IO filters), and see errors related to uwglibc dependency.
The syslog reports module missing, "32 bit shared libraries not loaded."

Workaround: There is no workaround. The fix is to download new 64-bit CIM providers from your vendor.
Installation of 7.0 Update 1 drivers on ESXi 7.0 hosts might fail
You cannot install drivers applicable to ESXi 7.0 Update 1 on hosts that run ESXi 7.0 or 7.0b.
The operation fails with an error, such as:
VMW_bootbank_qedrntv_3.40.4.0-12vmw.701.0.0.xxxxxxx requires vmkapi_2_7_0_0, but the requirement cannot be satisfied within the ImageProfile. Please refer to the log file for more details.

Workaround: Update the ESXi host to 7.0 Update 1. Retry the driver installation.
UEFI booting of ESXi hosts might stop with an error during an update to ESXi 7.0 Update 2 from an earlier version of ESXi 7.0
If you attempt to update your environment to 7.0 Update 2 from an earlier version of ESXi 7.0 by using vSphere Lifecycle Manager patch baselines, UEFI booting of ESXi hosts might stop with an error such as:
Loading /boot.cfg Failed to load crypto64.efi Fatal error: 15 (Not found)

Workaround: For more information, see VMware knowledge base articles 83063 and 83107 .
If legacy VIBs are in use on an ESXi host, vSphere Lifecycle Manager cannot extract a desired software specification to seed to a new cluster
With vCenter Server 7.0 Update 2, you can create a new cluster by importing the desired software specification from a single reference host. However, if legacy VIBs are in use on an ESXi host, vSphere Lifecycle Manager cannot extract in the vCenter Server instance where you create the cluster a reference software specification from such a host. In the /var/log/lifecycle.log, you see messages such as:
020-11-11T06:54:03Z lifecycle: 1000082644: HostSeeding:499 ERROR Extract depot failed: Checksum doesn't match. Calculated 5b404e28e83b1387841bb417da93c8c796ef2497c8af0f79583fd54e789d8826, expected: 0947542e30b794c721e21fb595f1851b247711d0619c55489a6a8cae6675e796 2020-11-11T06:54:04Z lifecycle: 1000082644: imagemanagerctl:366 ERROR Extract depot failed. 2020-11-11T06:54:04Z lifecycle: 1000082644: imagemanagerctl:145 ERROR [VibChecksumError]

Workaround: Follow the steps described in VMware knowledge base article 83042.
You see a short burst of log messages in the syslog.log after every ESXi boot
After updating to ESXi 7.0 Update 2, you might see a short burst of log messages after every ESXi boot.
Such logs do not indicate any issue with ESXi and you can ignore these messages. For example:
2021-01-19T22:44:22Z watchdog-vaai-nasd: '/usr/lib/vmware/nfs/bin/vaai-nasd -f' exited after 0 seconds (quick failure 127) 1 2021-01-19T22:44:22Z watchdog-vaai-nasd: Executing '/usr/lib/vmware/nfs/bin/vaai-nasd -f' 2021-01-19T22:44:22.990Z aainasd[1000051135]: Log for VAAI-NAS Daemon for NFS version=1.0 build=build-00000 option=DEBUG 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoadFile: No entries loaded by dictionary. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoad: Cannot open file "//.vmware/config": No such file or directory. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoad: Cannot open file "//.vmware/preferences": No such file or directory. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: Switching to VMware syslog extensions 2021-01-19T22:44:22.992Z vaainasd[1000051135]: Loading VAAI-NAS plugin(s). 2021-01-19T22:44:22.992Z vaainasd[1000051135]: DISKLIB-PLUGIN : Not loading plugin /usr/lib/vmware/nas_plugins/lib64: Not a shared library.

Workaround: None
You see warning messages for missing VIBs in vSphere Quick Boot compatibility check reports
After you upgrade to ESXi 7.0 Update 2, if you check vSphere Quick Boot compatibility of your environment by using the /usr/lib/vmware/loadesx/bin/loadESXCheckCompat.py command, you might see some warning messages for missing VIBs in the shell. For example:
Cannot find VIB(s) ... in the given VIB collection. Ignoring missing reserved VIB(s) ..., they are removed from reserved VIB IDs.
Such warnings do not indicate a compatibility issue.

Workaround: The missing VIB messages can be safely ignored and do not affect the reporting of vSphere Quick Boot compatibility. The final output line of the loadESXCheckCompat command unambiguously indicates if the host is compatible.
Auto bootstrapping a cluster that you manage with a vSphere Lifecycle Manager image fails with an error
If you attempt auto bootstrapping a cluster that you manage with a vSphere Lifecycle Manager image to perform a stateful install and overwrite the VMFS partitions, the operation fails with an error. In the support bundle, you see messages such as:
2021-02-11T19:37:43Z Host Profiles[265671 opID=MainThread]: ERROR: EngineModule::ApplyHostConfig. Exception: [Errno 30] Read-only file system

Workaround: Follow vendor guidance to clean the VMFS partition in the target host and retry the operation. Alternatively, use an empty disk. For more information on the disk-partitioning utility on ESXi, see VMware knowledge base article 1036609.
Upgrades to ESXi 7.x from 6.5.x and 6.7.0 by using ESXCLI might fail due to a space limitation
Upgrades to ESXi 7.x from 6.5.x and 6.7.0 by using the esxcli software profile update or esxcli software profile install ESXCLI commands might fail, because the ESXi bootbank might be less than the size of the image profile. In the ESXi Shell or the PowerCLI shell, you see an error such as:
```
[InstallationError]
 The pending transaction requires 244 MB free space, however the maximum supported size is 239 MB.
 Please refer to the log file for more details.
```
The issue also occurs when you attempt an ESXi host upgrade by using the ESXCLI commands esxcli software vib update or esxcli software vib install.

Workaround: You can perform the upgrade in two steps, by using the esxcli software profile update command to update ESXi hosts to ESXi 6.7 Update 1 or later, and then update to 7.0 Update 1c. Alternatively, you can run an upgrade by using an ISO image and the vSphere Lifecycle Manager.
You cannot migrate linked clones across vCenter Servers
If you migrate a linked clone across vCenter Servers, operations such as power on and delete might fail for the source virtual machine with an Invalid virtual machine state error.

Workaround: Keep linked clones on the same vCenter Server as the source VM. Alternatively, promote the linked clone to full clone before migration.
Migration across vCenter Servers of virtual machines with many virtual disks and snapshot levels to a datastore on NVMe over TCP storage might fail
Migration across vCenter Servers of virtual machines with more than 180 virtual disks and 32 snapshot levels to a datastore on NVMe over TCP storage might fail. The ESXi host preemptively fails with an error such as The migration has exceeded the maximum switchover time of 100 second(s).

Workaround: None
A virtual machine with enabled Virtual Performance Monitoring Counters (VPMC) might fail to migrate between ESXi hosts
If you try to migrate a virtual machine with enabled VPMC by using vSphere vMotion, the operation might fail if the target host is using some of the counters to compute memory or performance statistics. The operation fails with an error such as A performance counter used by the guest is not available on the host CPU.

Workaround: Power off the virtual machine and use cold migration. For more information, see VMware knowledge base article 81191.
If a live VIB install, upgrade, or remove operation immediately precedes an interactive or scripted upgrade to ESXi 7.0 Update 3 by using the installer ISO, the upgrade fails
When a VIB install, upgrade, or remove operation immediately precedes an interactive or scripted upgrade to ESXi 7.0 Update 3 by using the installer ISO, the ConfigStore might not keep some configurations of the upgrade. As a result, ESXi hosts become inaccessible after the upgrade operation, although the upgrade seems successful. To prevent this issue, the ESXi 7.0 Update 3 installer adds a temporary check to block such scenarios. In the ESXi installer console, you see the following error message: Live VIB installation, upgrade or removal may cause subsequent ESXi upgrade to fail when using the ISO installer.

Workaround: Use an alternative upgrade method to avoid the issue, such as using ESXCLI or the vSphere Lifecycle Manager.
Smart Card and RSA SecurID authentication might stop working after upgrading to vCenter Server 7.0
If you have configured vCenter Server for either Smart Card or RSA SecurID authentication, see the VMware knowledge base article at https://kb.vmware.com/s/article/78057 before starting the vSphere 7.0 upgrade process. If you do not perform the workaround as described in the KB, you might see the following error messages and Smart Card or RSA SecurID authentication does not work.

"Smart card authentication may stop working. Smart card settings may not be preserved, and smart card authentication may stop working."

or

"RSA SecurID authentication may stop working. RSA SecurID settings may not be preserved, and RSA SecurID authentication may stop working."

Workaround: Before upgrading to vSphere 7.0, see the VMware knowledge base article at https://kb.vmware.com/s/article/78057.
Upgrading a vCenter Server with an external Platform Services Controller from 6.7u3 to 7.0 fails with VMAFD error
When you upgrade a vCenter Server deployment using an external Platform Services Controller, you converge the Platform Services Controller into a vCenter Server appliance. If the upgrade fails with the error install.vmafd.vmdir_vdcpromo_error_21, the VMAFD firstboot process has failed. The VMAFD firstboot process copies the VMware Directory Service Database (data.mdb) from the source Platform Services Controller and replication partner vCenter Server appliance.

Workaround: Disable TCP Segmentation Offload (TSO) and Generic Segmentation Offload (GSO) on the Ethernet adapter of the source Platform Services Controller or replication partner vCenter Server appliance before upgrading a vCenter Server with an external Platform Services Controller. See Knowledge Base article: https://kb.vmware.com/s/article/74678
Smart card and RSA SecurID settings may not be preserved during vCenter Server upgrade
Authentication using RSA SecurID will not work after upgrading to vCenter Server 7.0. An error message will alert you to this issue when attempting to login using your RSA SecurID login.

Workaround: Reconfigure the smart card or RSA SecureID.
Migration of vCenter Server for Windows to vCenter Server appliance 7.0 fails with network error message
Migration of vCenter Server for Windows to vCenter Server appliance 7.0 fails with the error message IP already exists in the network. This prevents the migration process from configuring the network parameters on the new vCenter Server appliance. For more information, examine the log file: /var/log/vmware/upgrade/UpgradeRunner.log

Workaround:
1. Verify that all Windows Updates have been completed on the source vCenter Server for Windows instance, or disable automatic Windows Updates until after the migration finishes.
2. Retry the migration of vCenter Server for Windows to vCenter Server appliance 7.0.
When you configure the number of virtual functions for an SR-IOV device by using the max_vfs module parameter, the changes might not take effect
In vSphere 7.0, you can configure the number of virtual functions for an SR-IOV device by using the Virtual Infrastructure Management (VIM) API, for example, through the vSphere Client. The task does not require reboot of the ESXi host. After you use the VIM API configuration, if you try to configure the number of SR-IOV virtual functions by using the max_vfs module parameter, the changes might not take effect because they are overridden by the VIM API configuration.

Workaround: None. To configure the number of virtual functions for an SR-IOV device, use the same method every time. Use the VIM API or use the max_vfs module parameter and reboot the ESXi host.
Upgraded vCenter Server appliance instance does not retain all the secondary networks (NICs) from the source instance
During a major upgrade, if the source instance of the vCenter Server appliance is configured with multiple secondary networks other than the VCHA NIC, the target vCenter Server instance will not retain secondary networks other than the VCHA NIC. If the source instance is configured with multiple NICs that are part of VDS port groups, the NIC configuration will not be preserved during the upgrade. Configurations for vCenter Server appliance instances that are part of the standard port group will be preserved.

Workaround: None. Manually configure the secondary network in the target vCenter Server appliance instance.
After upgrading or migrating a vCenter Server with an external Platform Services Controller, users authenticating using Active Directory lose access to the newly upgraded vCenter Server instance
After upgrading or migrating a vCenter Server with an external Platform Services Controller, if the newly upgraded vCenter Server is not joined to an Active Directory domain, users authenticating using Active Directory will lose access to the vCenter Server instance.

Workaround: Verify that the new vCenter Server instance has been joined to an Active Directory domain. See Knowledge Base article: https://kb.vmware.com/s/article/2118543
Migrating a vCenter Server for Windows with an external Platform Services Controller using an Oracle database fails
If there are non-ASCII strings in the Oracle events and tasks table the migration can fail when exporting events and tasks data. The following error message is provided: UnicodeDecodeError

Workaround: None.
After an ESXi host upgrade, a Host Profile compliance check shows non-compliant status while host remediation tasks fail
The non-compliant status indicates an inconsistency between the profile and the host.

This inconsistency might occur because ESXi 7.0 does not allow duplicate claim rules, but the profile you use contains duplicate rules. For example, if you attempt to use the Host Profile that you extracted from the host before upgrading ESXi 6.5 or ESXi 6.7 to version 7.0 and the Host Profile contains any duplicate claim rules of system default rules, you might experience the problems.

Workaround:
1. Remove any duplicate claim rules of the system default rules from the Host Profile document.
2. Check the compliance status.
3. Remediate the host.
4. If the previous steps do not help, reboot the host.
Error message displays in the vCenter Server Management Interface
After installing or upgrading to vCenter Server 7.0, when you navigate to the Update panel within the vCenter Server Management Interface, the error message "Check the URL and try again" displays. The error message does not prevent you from using the functions within the Update panel, and you can view, stage, and install any available updates.

Workaround: None.

Security Features Issues

Turn off the Service Location Protocol service in ESXi, slpd, to prevent potential security vulnerabilities
Some services in ESXi that run on top of the host operating system, including slpd, the CIM object broker, sfcbd, and the related openwsmand service, have proven security vulnerabilities. VMware has addressed all known vulnerabilities in VMSA-2019-0022 and VMSA-2020-0023, and the fixes are part of the vSphere 7.0 Update 2 release. While sfcbd and openwsmand are disabled by default in ESXi, slpd is enabled by default and you must turn it off, if not necessary, to prevent exposure to a future vulnerability after an upgrade.

Workaround: To turn off the slpd service, run the following PowerCLI commands:
$ Get-VMHost | Get-VmHostService | Where-Object {$_.key -eq “slpd”} | Set-VMHostService -policy “off” $ Get-VMHost | Get-VmHostService | Where-Object {$_.key -eq “slpd”} | Stop-VMHostService -Confirm:$false

Alternatively, you can use the command chkconfig slpd off && /etc/init.d/slpd stop.

The openwsmand service is not on the ESXi services list and you can check the service state by using the following PowerCLI commands:
$esx=(Get-EsxCli -vmhost xx.xx.xx.xx -v2) $esx.system.process.list.invoke() | where CommandLine -like '*openwsman*' | select commandline

In the ESXi services list, the sfcbd service appears as sfcbd-watchdog.

For more information, see VMware knowledge base articles 76372 and 1025757.
Encrypted virtual machine fails to power on when HA-enabled Trusted Cluster contains an unattested host
In VMware® vSphere Trust Authority™, if you have enabled HA on the Trusted Cluster and one or more hosts in the cluster fails attestation, an encrypted virtual machine cannot power on.

Workaround: Either remove or remediate all hosts that failed attestation from the Trusted Cluster.
Encrypted virtual machine fails to power on when DRS-enabled Trusted Cluster contains an unattested host
In VMware® vSphere Trust Authority™, if you have enabled DRS on the Trusted Cluster and one or more hosts in the cluster fails attestation, DRS might try to power on an encrypted virtual machine on an unattested host in the cluster. This operation puts the virtual machine in a locked state.

Workaround: Either remove or remediate all hosts that failed attestation from the Trusted Cluster.
Migrating or cloning encrypted virtual machines across vCenter Server instances fails when attempting to do so using the vSphere Client
If you try to migrate or clone an encrypted virtual machine across vCenter Server instances using the vSphere Client, the operation fails with the following error message: "The operation is not allowed in the current state."

Workaround: You must use the vSphere APIs to migrate or clone encrypted virtual machines across vCenter Server instances.

Networking Issues

Reduced throughput in networking performance on Intel 82599/X540/X550 NICs
The new queue-pair feature added to ixgben driver to improve networking performance on Intel 82599EB/X540/X550 series NICs might reduce throughput under some workloads in vSphere 7.0 as compared to vSphere 6.7.

Workaround: To achieve the same networking performance as vSphere 6.7, you can disable the queue-pair with a module parameter. To disable the queue-pair, run the command:

# esxcli system module parameters set -p "QPair=0,0,0,0..." -m ixgben

After running the command, reboot.
One or more I/O devices do not generate interrupts when the AMD IOMMU is in use
If the I/O devices on your ESXi host provide more than a total of 512 distinct interrupt sources, some sources are erroneously assigned an interrupt-remapping table entry (IRTE) index in the AMD IOMMU that is greater than the maximum value. Interrupts from such a source are lost, so the corresponding I/O device behaves as if interrupts are disabled.

Workaround: Use the ESXCLI command esxcli system settings kernel set -s iovDisableIR -v true to disable the AMD IOMMU interrupt remapper. Reboot the ESXi host so that the command takes effect.
When you set auto-negotiation on a network adapter, the device might fail
In some environments, if you set link speed to auto-negotiation for network adapters by using the command esxcli network nic set -a -n vmmicx, the devices might fail and reboot does not recover connectivity. The issue is specific to a combination of some Intel X710/X722 network adapters, a SFP+ module and a physical switch, where auto-negotiate speed/duplex scenario is not supported.

Workaround: Make sure you use an Intel-branded SFP+ module. Alternatively, use a Direct Attach Copper (DAC) cable.
Solarflare x2542 and x2541 network adapters configured in 1x100G port mode achieve throughput of up to 70Gbps in a vSphere environment
vSphere 7.0 Update 2 supports Solarflare x2542 and x2541 network adapters configured in 1x100G port mode. However, you might see a hardware limitation in the devices that causes the actual throughput to be up to some 70Gbps in a vSphere environment.

Workaround: None
VLAN traffic might fail after a NIC reset
A NIC with PCI device ID 8086:1537 might stop to send and receive VLAN tagged packets after a reset, for example, with a command vsish -e set /net/pNics/vmnic0/reset 1.

Workaround: Avoid resetting the NIC. If you already face the issue, use the following commands to restore the VLAN capability, for example at vmnic0:
# esxcli network nic software set --tagging=1 -n vmnic0 # esxcli network nic software set --tagging=0 -n vmnic0
Any change in the NetQueue balancer settings causes NetQueue to be disabled after an ESXi host reboot
Any change in the NetQueue balancer settings by using the command esxcli/localcli network nic queue loadbalancer set -n <nicname> --<lb_setting> causes NetQueue, which is enabled by default, to be disabled after an ESXi host reboot.

Workaround: After a change in the NetQueue balancer settings and host reboot, use the command configstorecli config current get -c esx -g network -k nics to retrieve ConfigStore data to verify whether the /esx/network/nics/net_queue/load_balancer/enable is working as expected.

After you run the command, you see output similar to:
{ "mac": "02:00:0e:6d:14:3e", "name": "vmnic1", "net_queue": { "load_balancer": { "dynamic_pool": true, "enable": true } }, "virtual_mac": "00:50:56:5a:21:11" }

If the output is not as expected, for example "load_balancer": "enable": false", run the following command:
esxcli/localcli network nic queue loadbalancer state set -n <nicname> -e true
Paravirtual RDMA (PVRDMA) network adapters do not support NSX networking policies
If you configure an NSX distributed virtual port for use in PVRDMA traffic, the RDMA protocol traffic over the PVRDMA network adapters does not comply with the NSX network policies.

Workaround: Do not configure NSX distributed virtual ports for use in PVRDMA traffic.
Rollback from converged vSphere Distributed Switch (VDS) to NSX-T VDS is not supported in vSphere 7.0 Update 3
Rollback from converged VDS that supports both vSphere 7 traffic and NSX-T 3 traffic on the same VDS to one N-VDS for NSX-T traffic is not supported in vSphere 7.0 Update 3.

Workaround: None
If you do not set the nmlx5 network driver module parameter, network connectivity or ESXi hosts might fail
If you do not set the supported_num_ports module parameter for the nmlx5_core driver on an ESXi host with multiple network adapters of versions Mellanox ConnectX-4, Mellanox ConnectX-5 and Mellanox ConnectX-6, the driver might not allocate sufficient memory for operating all the NIC ports for the host. As a result, you might experience network loss or ESXi host failure with purple diagnostic screen, or both.

Workaround: Set the supported_num_ports module parameter value in the nmlx5_core network driver equal to the total number of Mellanox ConnectX-4, Mellanox ConnectX-5 and Mellanox ConnectX-6 network adapter ports on the ESXi host.
High throughput virtual machines may experience degradation in network performance when Network I/O Control (NetIOC) is enabled
Virtual machines requiring high network throughput can experience throughput degradation when upgrading from vSphere 6.7 to vSphere 7.0 with NetIOC enabled.

Workaround: Adjust the ethernetx.ctxPerDev setting to enable multiple worlds.
IPv6 traffic fails to pass through VMkernel ports using IPsec
When you migrate VMkernel ports from one port group to another, IPv6 traffic does not pass through VMkernel ports using IPsec.

Workaround: Remove the IPsec security association (SA) from the affected server, and then reapply the SA. To learn how to set and remove an IPsec SA, see the vSphere Security documentation.
Higher ESX network performance with a portion of CPU usage increase
ESX network performance may increase with a portion of CPU usage.

Workaround: Remove and add the network interface with only 1 rx dispatch queue. For example:

esxcli network ip interface remove --interface-name=vmk1

esxcli network ip interface add --interface-name=vmk1 --num-rxqueue=1
VM might lose Ethernet traffic after hot-add, hot-remove or storage vMotion
A VM might stop receiving Ethernet traffic after a hot-add, hot-remove or storage vMotion. This issue affects VMs where the uplink of the VNIC has SR-IOV enabled. PVRDMA virtual NIC exhibits this issue when the uplink of the virtual network is a Mellanox RDMA capable NIC and RDMA namespaces are configured.

Workaround: You can hot-remove and hot-add the affected Ethernet NICs of the VM to restore traffic. On Linux guest operating systems, restarting the network might also resolve the issue. If these workarounds have no effect, you can reboot the VM to restore network connectivity.
Change of IP address for a VCSA deployed with static IP address requires that you create the DNS records in advance
With the introduction of the DDNS, the DNS record update only works for VCSA deployed with DHCP configured networking. While changing the IP address of the vCenter server via VAMI, the following error is displayed:

The specified IP address does not resolve to the specified hostname.

Workaround: There are two possible workarounds.
1. Create an additional DNS entry with the same FQDN and desired IP address. Log in to the VAMI and follow the steps to change the IP address.
2. Log in to the VCSA using ssh. Execute the following script:
  ./opt/vmware/share/vami/vami_config_net
  
  Use option 6 to change the IP adddress of eth0. Once changed, execute the following script:
  
  ./opt/likewise/bin/lw-update-dns
  
  Restart all the services on the VCSA to update the IP information on the DNS server.
It may take several seconds for the NSX Distributed Virtual Port Group (NSX DVPG) to be removed after deleting the corresponding logical switch in NSX Manager.
As the number of logical switches increases, it may take more time for the NSX DVPG in vCenter Server to be removed after deleting the corresponding logical switch in NSX Manager. In an environment with 12000 logical switches, it takes approximately 10 seconds for an NSX DVPG to be deleted from vCenter Server.

Workaround: None.
Hostd runs out of memory and fails if a large number of NSX Distributed Virtual port groups are created.
In vSphere 7.0, NSX Distributed Virtual port groups consume significantly larger amounts of memory than opaque networks. For this reason, NSX Distributed Virtual port groups can not support the same scale as an opaque network given the same amount of memory.

Workaround:To support the use of NSX Distributed Virtual port groups, increase the amount of memory in your ESXi hosts. If you verify that your system has adequate memory to support your VMs, you can directly increase the memory of hostd using the following command.

localcli --plugin-dir /usr/lib/vmware/esxcli/int/ sched group setmemconfig --group-path host/vim/vmvisor/hostd --units mb --min 2048 --max 2048

Note that this will cause hostd to use memory normally reserved for your environment's VMs. This may have the affect of reducing the number of VMs your ESXi host can support.
DRS may incorrectly launch vMotion if the network reservation is configured on a VM
If the network reservation is configured on a VM, it is expected that DRS only migrates the VM to a host that meets the specified requirements. In a cluster with NSX transport nodes, if some of the transport nodes join the transport zone by NSX-T Virtual Distributed Switch (N-VDS), and others by vSphere Distributed Switch (VDS) 7.0, DRS may incorrectly launch vMotion. You might encounter this issue when:
- The VM connects to an NSX logical switch configured with a network reservation.
- Some transport nodes join transport zone using N-VDS, and others by VDS 7.0, or, transport nodes join the transport zone through different VDS 7.0 instances.
Workaround: Make all transport nodes join the transport zone by N-VDS or the same VDS 7.0 instance.
When adding a VMkernel NIC (vmknic) to an NSX portgroup, vCenter Server reports the error "Connecting VMKernel adapter to a NSX Portgroup on a Stateless host is not a supported operation. Please use Distributed Port Group instead."
- For stateless ESXi on Distributed Virtual Switch (VDS), the vmknic on a NSX port group is blocked. You must instead use a Distributed Port Group.
- For stateful ESXi on VDS, vmknic on NSX port group is supported, but vSAN may have an issue if it is using vmknic on a NSX port group.
Workaround: Use a Distributed Port Group on the same VDS.
Enabling SRIOV from vCenter for QLogic 4x10GE QL41164HFCU CNA might fail
If you navigate to the Edit Settings dialog for physical network adapters and attempt to enable SR-IOV, the operation might fail when using QLogic 4x10GE QL41164HFCU CNA. Attempting to enable SR-IOV might lead to a network outage of the ESXi host.

Workaround: Use the following command on the ESXi host to enable SRIOV:

esxcfg-module
vCenter Server fails if the hosts in a cluster using Distributed Resource Scheduler (DRS) join NSX-T networking by a different Virtual Distributed Switch (VDS) or combination of NSX-T Virtual Distributed Switch (NVDS) and VDS
In vSphere 7.0, when using NSX-T networking on vSphere VDS with a DRS cluster, if the hosts do not join the NSX transport zone by the same VDS or NVDS, it can cause vCenter Server to fail.

Workaround: Have hosts in a DRS cluster join the NSX transport zone using the same VDS or NVDS.

Storage Issues

VMFS datastores are not mounted automatically after disk hot remove and hot insert on HPE Gen10 servers with SmartPQI controllers
When SATA disks on HPE Gen10 servers with SmartPQI controllers without expanders are hot removed and hot inserted back to a different disk bay of the same machine, or when multiple disks are hot removed and hot inserted back in a different order, sometimes a new local name is assigned to the disk. The VMFS datastore on that disk appears as a snapshot and will not be mounted back automatically because the device name has changed.

Workaround: None. SmartPQI controller does not support unordered hot remove and hot insert operations.

VOMA check on NVMe based VMFS datastores fails with error

VOMA check is not supported for NVMe based VMFS datastores and will fail with the error:

ERROR: Failed to reserve device. Function not implemented

Example:

# voma -m vmfs -f check -d /vmfs/devices/disks/: <partition#>
Running VMFS Checker version 2.1 in check mode
Initializing LVM metadata, Basic Checks will be done

Checking for filesystem activity
Performing filesystem liveness check..|Scanning for VMFS-6 host activity (4096 bytes/HB, 1024 HBs).
ERROR: Failed to reserve device. Function not implemented
Aborting VMFS volume check
VOMA failed to check device : General Error

Workaround: None. If you need to analyse VMFS metadata, collect it using the -l option, and pass to VMware customer support. The command for collecting the dump is:

voma -l -f dump -d /vmfs/devices/disks/:<partition#>

Using the VM reconfigure API to attach an encrypted First Class Disk to an encrypted virtual machine might fail with error
If an FCD and a VM are encrypted with different crypto keys, your attempts to attach the encrypted FCD to the encrypted VM using the VM reconfigure API might fail with the error message:
```
Cannot decrypt disk because key or password is incorrect.
```
Workaround: Use the attachDisk API rather than the VM reconfigure API to attach an encrypted FCD to an encrypted VM.
ESXi host might get in non responding state if a non-head extent of its spanned VMFS datastore enters the Permanent Device Loss (PDL) state
This problem does not occur when a non-head extent of the spanned VMFS datastore fails along with the head extent. In this case, the entire datastore becomes inaccessible and no longer allows I/Os.

In contrast, when only a non-head extent fails, but the head extent remains accessible, the datastore heartbeat appears to be normal. And the I/Os between the host and the datastore continue. However, any I/Os that depend on the failed non-head extent start failing as well. Other I/O transactions might accumulate while waiting for the failing I/Os to resolve, and cause the host to enter the non responding state.

Workaround: Fix the PDL condition of the non-head extent to resolve this issue.
Virtual NVMe Controller is the default disk controller for Windows 10 guest operating systems
The Virtual NVMe Controller is the default disk controller for the following guest operating systems when using Hardware Version 15 or later:

Windows 10
Windows Server 2016
Windows Server 2019

Some features might not be available when using a Virtual NVMe Controller. For more information, see https://kb.vmware.com/s/article/2147714

Note: Some clients use the previous default of LSI Logic SAS. This includes ESXi host client and PowerCLI.

Workaround: If you need features not available on Virtual NVMe, switch to VMware Paravirtual SCSI (PVSCSI) or LSI Logic SAS. For information on using VMware Paravirtual SCSI (PVSCSI), see https://kb.vmware.com/s/article/1010398
After an ESXi host upgrade to vSphere 7.0, presence of duplicate core claim rules might cause unexpected behavior
Claim rules determine which multipathing plugin, such as NMP, HPP, and so on, owns paths to a particular storage device. ESXi 7.0 does not support duplicate claim rules. However, the ESXi 7.0 host does not alert you if you add duplicate rules to the existing claim rules inherited through an upgrade from a legacy release. As a result of using duplicate rules, storage devices might be claimed by unintended plugins, which can cause unexpected outcome.

Workaround: Do not use duplicate core claim rules. Before adding a new claim rule, delete any existing matching claim rule.
A CNS query with the compliance status filter set might take unusually long time to complete
The CNS QueryVolume API enables you to obtain information about the CNS volumes, such as volume health and compliance status. When you check the compliance status of individual volumes, the results are obtained quickly. However, when you invoke the CNS QueryVolume API to check the compliance status of multiple volumes, several tens or hundreds, the query might perform slowly.

Workaround: Avoid using bulk queries. When you need to get compliance status, query one volume at a time or limit the number of volumes in the query API to 20 or fewer. While using the query, avoid running other CNS operations to get the best performance.
A VMFS datastore backed by an NVMe over Fabrics namespace or device might become permanently inaccessible after recovering from an APD or PDL failure
If a VMFS datastore on an ESXi host is backed by an NVMe over Fabrics namespace or device, in case of an all paths down (APD) or permanent device loss (PDL) failure, the datastore might be inaccessible even after recovery. You cannot access the datastore from either the ESXi host or the vCenter Server system.

Workaround: To recover from this state, perform a rescan on a host or cluster level. For more information, see Perform Storage Rescan.
Deleted CNS volumes might temporarily appear as existing in the CNS UI
After you delete an FCD disk that backs a CNS volume, the volume might still show up as existing in the CNS UI. However, your attempts to delete the volume fail. You might see an error message similar to the following:
The object or item referred to could not be found.

Workaround: The next full synchronization will resolve the inconsistency and correctly update the CNS UI.
Attempts to attach multiple CNS volumes to the same pod might occasionally fail with an error
When you attach multiple volumes to the same pod simultaneously, the attach operation might occasionally choose the same controller slot. As a result, only one of the operations succeeds, while other volume mounts fail.

Workaround: After Kubernetes retries the failed operation, the operation succeeds if a controller slot is available on the node VM.
Under certain circumstances, while a CNS operation fails, the task status appears as successful in the vSphere Client
This might occur when, for example, you use an incompliant storage policy to create a CNS volume. The operation fails, while the vSphere Client shows the task status as successful.

Workaround: The successful task status in the vSphere Client does not guarantee that the CNS operation succeeded. To make sure the operation succeeded, verify its results.
Unsuccessful delete operation for a CNS persistent volume might leave the volume undeleted on the vSphere datastore
This issue might occur when the CNS Delete API attempts to delete a persistent volume that is still attached to a pod. For example, when you delete the Kubernetes namespace where the pod runs. As a result, the volume gets cleared from CNS and the CNS query operation does not return the volume. However, the volume continues to reside on the datastore and cannot be deleted through the repeated CNS Delete API operations.

Workaround: None.

vCenter Server and vSphere Client Issues

Vendor providers go offline after a PNID change
When you change the vCenter IP address (PNID change), the registered vendor providers go offline.

Workaround: Re-register the vendor providers.
Cross vCenter migration of a virtual machine fails with an error
When you use cross vCenter vMotion to move a VM's storage and host to a different vCenter server instance, you might receive the error The operation is not allowed in the current state.

This error appears in the UI wizard after the Host Selection step and before the Datastore Selection step, in cases where the VM has an assigned storage policy containing host-based rules such as encryption or any other IO filter rule.

Workaround: Assign the VM and its disks to a storage policy without host-based rules. You might need to decrypt the VM if the source VM is encrypted. Then retry the cross vCenter vMotion action.
Storage Sensors information in Hardware Health tab shows incorrect values on vCenter UI, host UI, and MOB
When you navigate to Host > Monitor > Hardware Health > Storage Sensors on vCenter UI, the storage information displays either incorrect or unknown values. The same issue is observed on the host UI and the MOB path “runtime.hardwareStatusInfo.storageStatusInfo” as well.

Workaround: None.
vSphere UI host advanced settings shows the current product locker location as empty with an empty default
vSphere UI host advanced settings shows the current product locker location as empty with an empty default. This is inconsistent as the actual product location symlink is created and valid. This causes confusion to the user. The default cannot be corrected from UI.

Workaround: User can use the esxcli command on the host to correct the current product locker location default as below.

1. Remove the existing Product Locker Location setting with: "esxcli system settings advanced remove -o ProductLockerLocation"

2. Re-add the Product Locker Location setting with the appropriate default:

2.a. If the ESXi is a full installation, the default value is "/locker/packages/vmtoolsRepo" export PRODUCT_LOCKER_DEFAULT="/locker/packages/vmtoolsRepo"

2.b. If the ESXi is a PXEboot configuration such as autodeploy, the default value is: "/vmtoolsRepo" export PRODUCT_LOCKER_DEFAULT="/vmtoolsRepo"

Run the following command to automatically figure out the location: export PRODUCT_LOCKER_DEFAULT=`readlink /productLocker`

Add the setting: esxcli system settings advanced add -d "Path to VMware Tools repository" -o ProductLockerLocation -t string -s $PRODUCT_LOCKER_DEFAULT

You can combine all the above steps in step 2 by issuing the single command:

esxcli system settings advanced add -d "Path to VMware Tools repository" -o ProductLockerLocation -t string -s `readlink /productLocker`
Linked Software-Defined Data Center (SDDC) vCenter Server instances appear in the on-premises vSphere Client if a vCenter Cloud Gateway is linked to the SDDC.
When a vCenter Cloud Gateway is deployed in the same environment as an on-premises vCenter Server, and linked to an SDDC, the SDDC vCenter Server will appear in the on-premises vSphere Client. This is unexpected behavior and the linked SDDC vCenter Server should be ignored. All operations involving the linked SDDC vCenter Server should be performed on the vSphere Client running within the vCenter Cloud Gateway.

Workaround: None.

Virtual Machine Management Issues

UEFI HTTP booting of virtual machines on ESXi hosts of version earlier than 7.0 Update 2 fails
UEFI HTTP booting of virtual machines is supported only on hosts of version ESXi 7.0 Update 2 and later and VMs with HW version 19 or later.

Workaround: Use UEFI HTTP booting only in virtual machines with HW version 19 or later. Using HW version 19 ensures the virtual machines are placed only on hosts with ESXi version 7.0 Update 2 or later.
Virtual machine snapshot operations fail in vSphere Virtual Volumes datastores on Purity version 5.3.10
Virtual machine snapshot operations fail in vSphere Virtual Volumes datastores on Purity version 5.3.10 with an error such as An error occurred while saving the snapshot: The VVol target encountered a vendor specific error. The issue is specific for Purity version 5.3.10.

Workaround: Upgrade to Purity version 6.1.7 or follow vendor recommendations.
The postcustomization section of the customization script runs before the guest customization
When you run the guest customization script for a Linux guest operating system, the precustomization section of the customization script that is defined in the customization specification runs before the guest customization and the postcustomization section runs after that. If you enable Cloud-Init in the guest operating system of a virtual machine, the postcustomization section runs before the customization due to a known issue in Cloud-Init.

Workaround: Disable Cloud-Init and use the standard guest customization.
Group migration operations in vSphere vMotion, Storage vMotion, and vMotion without shared storage fail with error
When you perform group migration operations on VMs with multiple disks and multi-level snapshots, the operations might fail with the error com.vmware.vc.GenericVmConfigFault Failed waiting for data. Error 195887167. Connection closed by remote host, possibly due to timeout.

Workaround: Retry the migration operation on the failed VMs one at a time.
Deploying an OVF or OVA template from a URL fails with a 403 Forbidden error
The URLs that contain an HTTP query parameter are not supported. For example, http://webaddress.com?file=abc.ovf or the Amazon pre-signed S3 URLs.

Workaround: Download the files and deploy them from your local file system.
The third level of nested objects in a virtual machine folder is not visible
Perform the following steps:
1. Navigate to a data center and create a virtual machine folder.
2. In the virtual machine folder, create a nested virtual machine folder.
3. In the second folder, create another nested virtual machine, virtual machine folder, vApp, or VM Template.
As a result, from the VMs and Templates inventory tree you cannot see the objects in the third nested folder.

Workaround: To see the objects in the third nested folder, navigate to the second nested folder and select the VMs tab.

vSphere HA and Fault Tolerance Issues

VMs in a cluster might be orphaned after recovering from storage inaccessibility such as a cluster wide APD
Some VMs might be in orphaned state after cluster wide APD recovers, even if HA and VMCP are enabled on the cluster.

This issue might be encountered when the following conditions occur simultaneously:
- All hosts in the cluster experience APD and do not recover until VMCP timeout is reached.
- HA primary initiates failover due to APD on a host.
- Power on API during HA failover fails due to one of the following:
  - APD across the same host
  - Cascading APD across the entire cluster
  - Storage issues
  - Resource unavailability
- FDM unregistration and VCs steal VM logic might initiate during a window where FDM has not unregistered the failed VM and VC's host synchronization responds that multiple hosts are reporting the same VM. Both FDM and VC unregister the different registered copies of the same VM from different hosts, causing the VM to be orphaned.
Workaround: You must unregister and reregister the orphaned VMs manually within the cluster after the APD recovers.

If you do not manually reregister the orphaned VMs, HA attempts failover of the orphaned VMs, but it might take between 5 to 10 hours depending on when APD recovers.

The overall functionality of the cluster is not affected in these cases and HA will continue to protect the VMs. This is an anomaly in what gets displayed on VC for the duration of the problem.

vSphere Lifecycle Manager Issues

You cannot enable NSX-T on a cluster that is already enabled for managing image setup and updates on all hosts collectively
NSX-T is not compatible with the vSphere Lifecycle Manager functionality for image management. When you enable a cluster for image setup and updates on all hosts in the cluster collectively, you cannot enable NSX-T on that cluster. However, you can deploy NSX Edges to this cluster.

Workaround: Move the hosts to a new cluster that you can manage with baselines and enable NSX-T on that new cluster.
vSphere Lifecycle Manager and vSAN File Services cannot be simultaneously enabled on a vSAN cluster in vSphere 7.0 release
If vSphere Lifecycle Manager is enabled on a cluster, vSAN File Services cannot be enabled on the same cluster and vice versa. In order to enable vSphere Lifecycle Manager on a cluster, which has VSAN File Services enabled already, first disable vSAN File Services and retry the operation. Please note that if you transition to a cluster that is managed by a single image, vSphere Lifecycle Manager cannot be disabled on that cluster.

Workaround: None.
When a hardware support manager is unavailable, vSphere High Availability (HA) functionality is impacted
If hardware support manager is unavailable for a cluster that you manage with a single image, where a firmware and drivers addon is selected and vSphere HA is enabled, the vSphere HA functionality is impacted. You may experience the following errors.
- Configuring vSphere HA on a cluster fails.
- Cannot complete the configuration of the vSphere HA agent on a host: Applying HA VIBs on the cluster encountered a failure.
- Remediating vSphere HA fails: A general system error occurred: Failed to get Effective Component map.
- Disabling vSphere HA fails: Delete Solution task failed. A general system error occurred: Cannot find hardware support package from depot or hardware support manager.
Workaround:
- If the hardware support manager is temporarily unavailable, perform the following steps.
1. Reconnect the hardware support manager to vCenter Server.
2. Select a cluster from the Hosts and Cluster menu.
3. Select the Configure tab.
4. Under Services, click vSphere Availability.
5. Re-enable vSphere HA.
- If the hardware support manager is permanently unavailable, perform the following steps.
1. Remove the hardware support manager and the hardware support package from the image specification
2. Re-enable vSphere HA.
3. Select a cluster from the Hosts and Cluster menu.
4. Select the Updates tab.
5. Click Edit .
6. Remove the firmware and drivers addon and click Save.
7. Select the Configure tab.
8. Under Services, click vSphere Availability.
9. Re-enable vSphere HA.
I/OFilter is not removed from a cluster after a remediation process in vSphere Lifecycle Manager
Removing I/OFilter from a cluster by remediating the cluster in vSphere Lifecycle Manager, fails with the following error message: iofilter XXX already exists. Тhe iofilter remains listed as installed.

Workaround:
1. Call IOFilter API UninstallIoFilter_Task from the vCenter Server managed object (IoFilterManager).
2. Remediate the cluster in vSphere Lifecycle Manager.
3. Call IOFilter API ResolveInstallationErrorsOnCluster_Task from the vCenter Server managed object (IoFilterManager) to update the database.
While remediating a vSphere HA enabled cluster in vSphere Lifecycle Manager, adding hosts causes a vSphere HA error state
Adding one or multiple ESXi hosts during a remediation process of a vSphere HA enabled cluster, results in the following error message: Applying HA VIBs on the cluster encountered a failure.

Workaround: Аfter the cluster remediation operation has finished, perform one of the following tasks.
- Right-click the failed ESXi host and select Reconfigure for vSphere HA.
- Disable and re-enable vSphere HA for the cluster.
While remediating a vSphere HA enabled cluster in vSphere Lifecycle Manager, disabling and re-enabling vSphere HA causes a vSphere HA error state
Disabling and re-enabling vSphere HA during remediation process of a cluster, may fail the remediation process due to vSphere HA health checks reporting that hosts don't have vSphere HA VIBs installed. You may see the following error message: Setting desired image spec for cluster failed.

Workaround: Аfter the cluster remediation operation has finished, disable and re-enable vSphere HA for the cluster.
Checking for recommended images in vSphere Lifecycle Manager has slow performance in large clusters
In large clusters with more than 16 hosts, the recommendation generation task could take more than an hour to finish or may appear to hang. The completion time for the recommendation task depends on the number of devices configured on each host and the number of image candidates from the depot that vSphere Lifecycle Manager needs to process before obtaining a valid image to recommend.

Workaround: None.
Checking for hardware compatibility in vSphere Lifecycle Manager has slow performance in large clusters
In large clusters with more than 16 hosts, the validation report generation task could take up to 30 minutes to finish or may appear to hang. The completion time depends on the number of devices configured on each host and the number of hosts configured in the cluster.

Workaround: None
Incomplete error messages in non-English languages are displayed, when remediating a cluster in vSphere Lifecycle Manager
You can encounter incomplete error messages for localized languages in the vCenter Server user interface. The messages are displayed, after a cluster remediation process in vSphere Lifecycle Manager fails. For example, your can observe the following error message.

The error message in English language: Virtual machine 'VMC on DELL EMC -FileServer' that runs on cluster 'Cluster-1' reported an issue which prevents entering maintenance mode: Unable to access the virtual machine configuration: Unable to access file[local-0] VMC on Dell EMC - FileServer/VMC on Dell EMC - FileServer.vmx

The error message in French language: La VM « VMC on DELL EMC -FileServer », située sur le cluster « {Cluster-1} », a signalé un problème empêchant le passage en mode de maintenance : Unable to access the virtual machine configuration: Unable to access file[local-0] VMC on Dell EMC - FileServer/VMC on Dell EMC - FileServer.vmx

Workaround: None.
Importing an image with no vendor addon, components, or firmware and drivers addon to a cluster which image contains such elements, does not remove the image elements of the existing image
Only the ESXi base image is replaced with the one from the imported image.

Workaround: After the import process finishes, edit the image, and if needed, remove the vendor addon, components, and firmware and drivers addon.
When you convert a cluster that uses baselines to a cluster that uses a single image, a warning is displayed that vSphere HA VIBs will be removed
Converting a vSphere HA enabled cluster that uses baselines to a cluster that uses a single image, may result a warning message displaying that vmware-fdm component will be removed.

Workaround: This message can be ignored. The conversion process installs the vmware-fdm component.
If vSphere Update Manager is configured to download patch updates from the Internet through a proxy server, after upgrade to vSphere 7.0 that converts Update Manager to vSphere Lifecycle Manager, downloading patches from VMware patch repository might fail
In earlier releases of vCenter Server you could configure independent proxy settings for vCenter Server and vSphere Update Manager. After an upgrade to vSphere 7.0, vSphere Update Manager service becomes part of the vSphere Lifecycle Manager service. For the vSphere Lifecycle Manager service, the proxy settings are configured from the vCenter Server appliance settings. If you had configured Update Manager to download patch updates from the Internet through a proxy server but the vCenter Server appliance had no proxy setting configuration, after a vCenter Server upgrade to version 7.0, the vSphere Lifecycle Manager fails to connect to the VMware depot and is unable to download patches or updates.

Workaround: Log in to the vCenter Server Appliance Management Interface, https://vcenter-server-appliance-FQDN-or-IP-address:5480, to configure proxy settings for the vCenter Server appliance and enable vSphere Lifecycle Manager to use proxy.

Miscellaneous Issues

When applying a host profile with version 6.5 to a ESXi host with version 7.0, the compliance check fails
Applying a host profile with version 6.5 to a ESXi host with version 7.0, results in Coredump file profile reported as not compliant with the host.

Workaround: There are two possible workarounds.
1. When you create a host profile with version 6.5, set an advanced configuration option VMkernel.Boot.autoCreateDumpFile to false on the ESXi host.
2. When you apply an existing host profile with version 6.5, add an advanced configuration option VMkernel.Boot.autoCreateDumpFile in the host profile, configure the option to a fixed policy, and set value to false.
Mellanox ConnectX-4 or ConnectX-5 native ESXi drivers might exhibit minor throughput degradation when Dynamic Receive Side Scaling (DYN_RSS) or Generic RSS (GEN_RSS) feature is turned on
Mellanox ConnectX-4 or ConnectX-5 native ESXi drivers might exhibit less than 5 percent throughput degradation when DYN_RSS and GEN_RSS feature is turned on, which is unlikely to impact normal workloads.

Workaround: You can disable DYN_RSS and GEN_RSS feature with the following commands:

# esxcli system module parameters set -m nmlx5_core -p "DYN_RSS=0 GEN_RSS=0"

# reboot
RDMA traffic between two VMs on the same host might fail in PVRDMA environment
In a vSphere 7.0 implementation of a PVRDMA environment, VMs pass traffic through the HCA for local communication if an HCA is present. However, loopback of RDMA traffic does not work on qedrntv driver. For instance, RDMA Queue Pairs running on VMs that are configured under same uplink port cannot communicate with each other.

In vSphere 6.7 and earlier, HCA was used for local RDMA traffic if SRQ was enabled. vSphere 7.0 uses HCA loopback with VMs using versions of PVRDMA that have SRQ enabled with a minimum of HW v14 using RoCE v2.

The current version of Marvell FastLinQ adapter firmware does not support loopback traffic between QPs of the same PF or port.

Workaround: Required support is being added in the out-of-box driver certified for vSphere 7.0. If you are using the inbox qedrntv driver, you must use a 3-host configuration and migrate VMs to the third host.
Unreliable Datagram traffic QP limitations in qedrntv driver
There are limitations with the Marvell FastLinQ qedrntv RoCE driver and Unreliable Datagram (UD) traffic. UD applications involving bulk traffic might fail with qedrntv driver. Additionally, UD QPs can only work with DMA Memory Regions (MR). Physical MRs or FRMR are not supported. Applications attempting to use physical MR or FRMR along with UD QP fail to pass traffic when used with qedrntv driver. Known examples of such test applications are ibv_ud_pingpong and ib_send_bw.

Standard RoCE and RoCEv2 use cases in a VMware ESXi environment such as iSER, NVMe-oF (RoCE) and PVRDMA are not impacted by this issue. Use cases for UD traffic are limited and this issue impacts a small set of applications requiring bulk UD traffic.

Marvell FastLinQ hardware does not support RDMA UD traffic offload. In order to meet the VMware PVRDMA requirement to support GSI QP, a restricted software only implementation of UD QP support was added to the qedrntv driver. The goal of the implementation is to provide support for control path GSI communication and is not a complete implementation of UD QP supporting bulk traffic and advanced features.

Since UD support is implemented in software, the implementation might not keep up with heavy traffic and packets might be dropped. This can result in failures with bulk UD traffic.

Workaround: Bulk UD QP traffic is not supported with qedrntv driver and there is no workaround at this time. VMware ESXi RDMA (RoCE) use cases like iSER, NVMe, RDMA and PVRDMA are unaffected by this issue.
Servers equipped with QLogic 578xx NIC might fail when frequently connecting or disconnecting iSCSI LUNs
If you trigger QLogic 578xx NIC iSCSI connection or disconnection frequently in a short time, the server might fail due to an issue with the qfle3 driver. This is caused by a known defect in the device's firmware.

Workaround: None.
ESXi might fail during driver unload or controller disconnect operation in Broadcom NVMe over FC environment
In Broadcom NVMe over FC environment, ESXi might fail during driver unload or controller disconnect operation and display an error message such as: @BlueScreen: #PF Exception 14 in world 2098707:vmknvmeGener IP 0x4200225021cc addr 0x19

Workaround: None.
ESXi does not display OEM firmware version number of i350/X550 NICs on some Dell servers
The inbox ixgben driver only recognizes firmware data version or signature for i350/X550 NICs. On some Dell servers the OEM firmware version number is programmed into the OEM package version region, and the inbox ixgben driver does not read this information. Only the 8-digit firmware signature is displayed.

Workaround: To display the OEM firmware version number, install async ixgben driver version 1.7.15 or later.
X710 or XL710 NICs might fail in ESXi
When you initiate certain destructive operations to X710 or XL710 NICs, such as resetting the NIC or manipulating VMKernel's internal device tree, the NIC hardware might read data from non-packet memory.

Workaround: Do not reset the NIC or manipulate vmkernel internal device state.
NVMe-oF does not guarantee persistent VMHBA name after system reboot
NVMe-oF is a new feature in vSphere 7.0. If your server has a USB storage installation that uses vmhba30+ and also has NVMe over RDMA configuration, the VMHBA name might change after a system reboot. This is because the VMHBA name assignment for NVMe over RDMA is different from PCIe devices. ESXi does not guarantee persistence.

Workaround: None.
Backup fails for vCenter database size of 300 GB or greater
If the vCenter database size is 300 GB or greater, the file-based backup will fail with a timeout. The following error message is displayed: Timeout! Failed to complete in 72000 seconds

Workaround: None.
A restore of vCenter Server 7.0 which is upgraded from vCenter Server 6.x with External Platform Services Controller to vCenter Server 7.0 might fail
When you restore a vCenter Server 7.0 which is upgraded from 6.x with External Platform Services Controller to vCenter Server 7.0, the restore might fail and display the following error: Failed to retrieve appliance storage list

Workaround: During the first stage of the restore process, increase the storage level of the vCenter Server 7.0. For example if the vCenter Server 6.7 External Platform Services Controller setup storage type is small, select storage type large for the restore process.
Enabled SSL protocols configuration parameter is not configured during a host profile remediation process
Enabled SSL protocols configuration parameter is not configured during a host profile remediation and only the system default protocol tlsv1.2 is enabled. This behavior is observed for a host profile with version 7.0 and earlier in a vCenter Server 7.0 environment.

Workaround: To enable TLSV 1.0 or TLSV 1.1 SSL protocols for SFCB, log in to an ESXi host by using SSH, and run the following ESXCLI command: esxcli system wbem -P <protocol_name>
Unable to configure Lockdown Mode settings by using Host Profiles
Lockdown Мode cannot be configured by using a security host profile and cannot be applied to multiple ESXi hosts at once. You must manually configure each host.

Workaround: In vCenter Server 7.0, you can configure Lockdown Mode and manage Lockdown Mode exception user list by using a security host profile.
When a host profile is applied to a cluster, Enhanced vMotion Compatibility (EVC) settings are missing from the ESXi hosts
Some settings in the VMware config file /etc/vmware/config are not managed by Host Profiles and are blocked, when the config file is modified. As a result, when the host profile is applied to a cluster, the EVC settings are lost, which causes loss of EVC functionalities. For example, unmasked CPUs can be exposed to workloads.

Workaround: Reconfigure the relevant EVC baseline on cluster to recover the EVC settings.
Using a host profile that defines a core dump partition in vCenter Server 7.0 results in an error
In vCenter Server 7.0, configuring and managing a core dump partition in a host profile is not available. Attempting to apply a host profile that defines a core dump partition, results in the following error: No valid coredump partition found.

Workaround: None. In vCenter Server 7.0., Host Profiles supports only file-based core dumps.
If you run the ESXCLI command to unload the firewall module, the hostd service fails and ESXi hosts lose connectivity
If you automate the firewall configuration in an environment that includes multiple ESXi hosts, and run the ESXCLI command esxcli network firewall unload that destroys filters and unloads the firewall module, the hostd service fails and ESXi hosts lose connectivity.

Workaround: Unloading the firewall module is not recommended at any time. If you must unload the firewall module, use the following steps:
1. Stop the hostd service by using the command:
  /etc/init.d/hostd stop.
2. Unload the firewall module by using the command:
  esxcli network firewall unload.
3. Perform the required operations.
4. Load the firewall module by using the command:
  esxcli network firewall load.
5. Start the hostd service by using the command:
  /etc/init.d/hostd start.
vSphere Storage vMotion operations might fail in a vSAN environment due to an unauthenticated session of the Network File Copy (NFC) manager
Migrations to a vSAN datastore by using vSphere Storage vMotion of virtual machines that have at least one snapshot and more than one virtual disk with different storage policy might fail. The issue occurs due to an unauthenticated session of the NFC manager because the Simple Object Access Protocol (SOAP) body exceeds the allowed size.

Workaround: First migrate the VM home namespace and just one of the virtual disks. After the operation completes, perform a disk only migration of the remaining 2 disks.
Changes in the properties and attributes of the devices and storage on an ESXi host might not persist after a reboot
If the device discovery routine during a reboot of an ESXi host times out, the jumpstart plug-in might not receive all configuration changes of the devices and storage from all the registered devices on the host. As a result, the process might restore the properties of some devices or storage to the default values after the reboot.

Workaround: Manually restore the changes in the properties of the affected device or storage.
If you use a beta build of ESXi 7.0, ESXi hosts might fail with a purple diagnostic screen during some lifecycle operations
If you use a beta build of ESXi 7.0, ESXi hosts might fail with a purple diagnostic screen during some lifecycle operations such as unloading a driver or switching between ENS mode and native driver mode. For example, if you try to change the ENS mode, in the backtrace you see an error message similar to: case ENS::INTERRUPT::NoVM_DeviceStateWithGracefulRemove hit BlueScreen: ASSERT bora/vmkernel/main/dlmalloc.c:2733 This issue is specific for beta builds and does not affect release builds such as ESXi 7.0.

Workaround: Update to ESXi 7.0 GA.
You cannot create snapshots of virtual machines due to an error that a digest operation has failed
A rare race condition when an All-Paths-Down (APD) state occurs during the update of the Content Based Read Cache (CBRC) digest file might cause inconsistencies in the digest file. As a result, you cannot create virtual machine snapshots. You see an error such as An error occurred while saving the snapshot: A digest operation has failed in the backtrace.

Workaround: Power cycle the virtual machines to trigger a recompute of the CBRC hashes and clear the inconsistencies in the digest file.
If you upgrade your ESXi hosts to version 7.0 Update 3, but your vCenter Server is of an earlier version, Trusted Platform Module (TPM) attestation of the ESXi hosts fails
If you upgrade your ESXi hosts to version 7.0 Update 3, but your vCenter Server is of an earlier version, and you enable TPM, ESXi hosts fail to pass attestation. In the vSphere Client, you see the warning Host TPM attestation alarm. The Elliptic Curve Digital Signature Algorithm (ECDSA) introduced with ESXi 7.0 Update 3 causes the issue when vCenter Server is not of version 7.0 Update 3.

Workaround: Upgrade your vCenter Server to 7.0 Update 3 or acknowledge the alarm.
You see warnings in the boot loader screen about TPM asset tags
If a TPM-enabled ESXi host has no asset tag set on, you might see idle warning messages in the boot loader screen such as:
Failed to determine TPM asset tag size: Buffer too small Failed to measure asset tag into TPM: Buffer too small

Workaround: Ignore the warnings or set an asset tag by using the command $ esxcli hardware tpm tag set -d
The sensord daemon fails to report ESXi host hardware status
A logic error in the IPMI SDR validation might cause sensord to fail to identify a source for power supply information. As a result, when you run the command vsish -e get /power/hostStats, you might not see any output.

Workaround: None
If an ESXi host fails with a purple diagnostic screen, the netdump service might stop working
In rare cases, if an ESXi host fails with a purple diagnostic screen, the netdump service might fail with an error such as NetDump FAILED: Couldn't attach to dump server at IP x.x.x.x.

Workaround: Configure the VMkernel core dump to use local storage.
You see frequent VMware Fault Domain Manager (FDM) core dumps on multiple ESXi hosts
In some environments, the number of datastores might exceed the FDM file descriptor limit. As a result, you see frequent core dumps on multiple ESXi hosts indicating FDM failure.

Workaround: Increase the FDM file descriptor limit to 2048. You can use the setting das.config.fdm.maxFds from the vSphere HA advanced options in the vSphere Client. For more information, see Set Advanced Options.
Virtual machines on a vSAN cluster with enabled NSX-T and a converged vSphere Distributed Switch (CVDS) in a VLAN transport zone cannot power on after a power off
If a secondary site is 95% disk full and VMs are powered off before simulating a secondary site failure, during recovery some of the virtual machines fail to power on. As a result, virtual machines become unresponsive. The issue occurs regardless if site recovery includes adding disks or ESXi hosts or CPU capacity.

Workaround: Select the virtual machines that do not power on and change the network to VM Network from Edit Settings on the VM context menu.
ESXI hosts might fail with a purple diagnostic screen with an error Assert at bora/modules/vmkernel/vmfs/fs6Journal.c:835
In rare cases, for example when running SESparse tests, the number of locks per transaction in a VMFS datastore might exceed the limit of 50 for the J6_MAX_TXN_LOCKACTIONS parameter. As a result, ESXi hosts might fail with a purple diagnostic screen with an error Assert at bora/modules/vmkernel/vmfs/fs6Journal.c:835.

Workaround: None
If you modify the netq_rss_ens parameter of the nmlx5_core driver, ESXi hosts might fail with a purple diagnostic screen
If you try to enable the netq_rss_ens parameter when you configure an enhanced data path on the nmlx5_core driver, ESXi hosts might fail with a purple diagnostic screen. The netq_rss_ens parameter, which enables NetQ RSS, is disabled by default with a value of 0.

Workaround: Keep the default value for the netq_rss_ens module parameter in the nmlx5_core driver.
ESXi might terminate I/O to NVMeOF devices due to errors on all active paths
Occasionally, all active paths to NVMeOF device register I/O errors due to link issues or controller state. If the status of one of the paths changes to Dead, the High Performance Plug-in (HPP) might not select another path if it shows high volume of errors. As a result, the I/O fails.

Workaround: Disable the configuration option /Misc/HppManageDegradedPaths to unblock the I/O.
Upgrade to ESXi 7.0 Update 3 might fail due to changed name of the inbox i40enu network driver
Starting with vSphere 7.0 Update 3, the inbox i40enu network driver for ESXi changes name back to i40en. The i40en driver was renamed to i40enu in vSphere 7.0 Update 2, but the name change impacted some upgrade paths. For example, rollup upgrade of ESXi hosts that you manage with baselines and baseline groups from 7.0 Update 2 or 7.0 Update 2a to 7.0 Update 3 fails. In most cases, the i40enu driver upgrades to ESXi 7.0 Update 3 without any additional steps. However, if the driver upgrade fails, you cannot update ESXi hosts that you manage with baselines and baseline groups. You also cannot use host seeding or a vSphere Lifecycle Manager single image to manage the ESXi hosts. If you have already made changes related to the i40enu driver and devices in your system, before upgrading to ESXi 7.0 Update 3, you must uninstall the i40enu VIB or Component on ESXi, or first upgrade ESXi to ESXi 7.0 Update 2c.

Workaround: For more information, see VMware knowledge base article 85982.
SSH access fails after you upgrade to ESXi 7.0 Update 3d
After you upgrade to ESXi 7.0 Update 3d, SSH access might fail in certain conditions due to an update of OpenSSH to version 8.8.

Workaround: For more information, see VMware knowledge base article 88055.
HTTP requests from certain libraries to vSphere might be rejected
The HTTP reverse proxy in vSphere 7.0 enforces stricter standard compliance than in previous releases. This might expose pre-existing problems in some third-party libraries used by applications for SOAP calls to vSphere.

If you develop vSphere applications that use such libraries or include applications that rely on such libraries in your vSphere stack, you might experience connection issues when these libraries send HTTP requests to VMOMI. For example, HTTP requests issued from vijava libraries can take the following form:
```
POST /sdk HTTP/1.1
SOAPAction
Content-Type: text/xml; charset=utf-8
User-Agent: Java/1.8.0_221
```
The syntax in this example violates an HTTP protocol header field requirement that mandates a colon after SOAPAction. Hence, the request is rejected in flight.

Workaround: Developers leveraging noncompliant libraries in their applications can consider using a library that follows HTTP standards instead. For example, developers who use the vijava library can consider using the latest version of the yavijava library instead.
You might see a dump file when using Broadcom driver lsi_msgpt3, lsi_msgpt35 and lsi_mr3
When using the lsi_msgpt3, lsi_msgpt35 and lsi_mr3 controllers, there is a potential risk to see dump file lsuv2-lsi-drivers-plugin-util-zdump. There is an issue when exiting the storelib used in this plugin utility. There is no impact on ESXi operations, you can ignore the dump file.

Workaround: You can safely ignore this message. You can remove the lsuv2-lsi-drivers-plugin with the following command:

esxcli software vib remove -n lsuv2-lsiv2-drivers-plugin
You might see reboot is not required after configuring SR-IOV of a PCI device in vCenter, but device configurations made by third party extensions might be lost and require reboot to be re-applied.
In ESXi 7.0, SR-IOV configuration is applied without a reboot and the device driver is reloaded. ESXi hosts might have third party extensions perform device configurations that need to run after the device driver is loaded during boot. A reboot is required for those third party extensions to re-apply the device configuration.

Workaround: You must reboot after configuring SR-IOV to apply third party device configurations.

To collapse the list of previous known issues, click here.