vCenter Server 7.0 Update 3c | 27 JAN 2022 | ISO Build 19234570

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

IMPORTANT: VMware removed ESXi 7.0 Update 3, 7.0 Update 3a, and 7.0 Update 3b from all sites on November 19, 2021 due to an upgrade-impacting issue. Build 19193900 for ESXi 7.0 Update 3c ISO replaces build 18644231, 18825058, and 18905247 for ESXi 7.0 Update 3, 7.0 Update 3a, and 7.0 Update 3b respectively. For a list of related VMware knowledge base articles, see 87327.

What's New

  • Due to the recent name change in the Intel i40en driver to i40enu and back to i40en, ESXi hosts in some environments later than ESXi 7.0 Update 2a might have both driver versions, which results in several issues, all resolved in vSphere 7.0 Update 3c. Affected ESXi versions are 7.0 Update 3a, 7.0 Update 3, 7.0 Update 2d, and 7.0 Update 2c. VMware provides a vSphere_upgrade_assessment.py script that you can use to identify any ESXi hosts that require remediation before you start a vCenter Server upgrade. To download the script and for more information, see VMware knowledge base article 87258, and the instructional video on the vCenter Server 7.0 Update 3c (7.0.3.00300) upgrade precheck.

  • To help you upgrade your system correctly, vCenter Server 7.0 Update 3c adds a precheck and detailed scan with warnings:

    • When you start the update or upgrade of your vCenter Server system, an upgrade precheck runs a scan to detect if ESXi hosts of versions potentially affected by the issues around the Intel driver name change exist in your vCenter Server inventory. If the precheck identifies such ESXi hosts, a detailed scan runs to provide a list of all affected hosts, specifying file locations where you can find the list, and providing guidance how to proceed.

      IMPORTANT: You must first upgrade the list of affected hosts to ESXi 7.0 Update 3c before you continue to upgrade vCenter Server to 7.0 Update 3c. You can upgrade ESXi hosts that you manage with either baselines or a single image, by using the ESXi ISO image with an upgrade baseline or a base image of 7.0 Update 3c respectively. Do not use patch baselines based on the rollup bulletin.

      If the scan finds no affected hosts, you can continue with the upgrade of vCenter Server first.

      For more information, see VMware knowledge article 86447.
       
  • vCenter Server 7.0 Update 3c adds fixes and warnings to some vSphere Lifecycle Manager workflows: 

    • In the Updates tab of the vSphere Client, you see a banner to prevent you from updating ESXi hosts to ESXi 7.0 Update 3c with the non-critical host patches predefined baseline, which checks ESXi hosts for compliance only with optional patches. Instead, you must use the ESXi 7.0 Update 3c ISO image.

    • In the Updates tab of the vSphere Client, you see a banner to prevent you from updating ESXi hosts to ESXi 7.0 Update 3c with the non-critical host patches predefined baseline, which checks ESXi hosts for compliance only with optional patches. If ESXi hosts of versions potentially affected by the issues around the Intel driver name change exist in your vCenter Server inventory, the vSphere Lifecycle Manager automatically prevents you from changing the update method for such hosts from a cluster that you manage with vSphere Lifecycle Manager baselines to a cluster that you manage with a single image. For more information, see VMware knowledge base article 87308.

  • vCenter Server 7.0 Update 3c delivers bug and security fixes documented in the Resolved Issues section and VMware knowledge base articles 86069, 86084, 8604586159, 86073, and 87081.

  • For VMware vSphere with Tanzu updates, see VMware vSphere with Tanzu Release Notes.

Earlier Releases of vCenter Server 7.0

Features, resolved and known issues of vCenter Server are described in the release notes for each release. Release notes for earlier releases of vCenter Server 7.0 are:

For internationalization, compatibility, installation, upgrade, open source components and product support notices, see the VMware vSphere 7.0 Release Notes.
For more information on vCenter Server supported upgrade and migration paths, please refer to VMware knowledge base article 67077.

Patches Contained in This Release

This release of vCenter Server 7.0 Update 3c delivers the following patch:

For a table of build numbers and versions of VMware vCenter Server, see VMware knowledge base article 2143838.

Patch for VMware vCenter Server Appliance 7.0 Update 3c

Product Patch for vCenter Server containing VMware software fixes, security fixes, and third-party product fixes.

This patch is applicable to vCenter Server.

Download Filename VMware-vCenter-Server-Appliance-7.0.3.00300-19234570-patch-FP.iso
Build 19234570
Download Size 7473.7 MB
md5sum 10f9a7fa63fe47b56d969c8a515e5bec
sha256checksum 02ee1ee18e8d09c90689c713a081554cadcd43a3f695c1f1e4f169d00274374c

Download and Installation

To download this patch, after you log in to VMware Customer Connect, select VC from the Select a Product drop-down menu and select 7.0.3 from the Select a Version drop-down menu.

  1. Attach the VMware-vCenter-Server-Appliance-7.0.3.00300-19234570-patch-FP.iso file to the vCenter Server CD or DVD drive.
  2. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:
    • To stage the ISO:
      software-packages stage --iso
    • To see the staged content:
      software-packages list --staged
    • To install the staged rpms:
      software-packages install --staged

For more information on using the vCenter Server shells, see VMware knowledge base article 2100508.

For more information on patching vCenter Server, see Patching the vCenter Server Appliance.

For more information on staging patches, see Stage Patches to vCenter Server Appliance.

For more information on installing patches, see Install vCenter Server Appliance Patches.

For more information on patching using the Appliance Management Interface, see Patching the vCenter Server by Using the Appliance Management Interface.

Product Support Notices

  • Deprecation of localos accounts: Support for use of localos accounts as an identity source is deprecated. VMware plans to discontinue support for use of the local operating system as an identity source. This functionality will be removed in a future release of vSphere.
     
  • The version of some OSS packages in vCenter Server 6.5 Update 3r and vCenter Server 6.7 Update 3p is later than the version in vCenter Server 7.0 Update 3c. As a result, if you upgrade from vCenter Server 6.5 Update 3r or vCenter Server 6.7 Update 3p to vCenter Server 7.0 Update 3c, the earlier version might expose your system to some vulnerabilities:
     
    OSS 6.5 Update 3r 6.7 Update 3p 7.0 Update 3c CVEs exposed
    Apache Tomcat 8.5.68 8.5.68 8.5.63, 8.5.66 CVE-2021-41079 (7.5)
    CVE-2021-30639 (7.5)
    CVE-2021-30640 (6.5)
    CVE-2021-33037 (5.3)
    Eclipse Jetty 9.4.43 9.4.39 9.4.39 CVE-2021-34429 (5.0)
    CVE-2021-34428 (3.6)
    CVE-2021-28169 (5.0)
    cURL 7.78.0 7.78.0 7.75.0 CVE-2021-22897 (5.3)
    CVE-2021-22926 (7.5)
    CVE-2021-22925 (5.3)
    CVE-2021-22924 (3.7)
    CVE-2021-22923 (5.3)
    CVE-2021-22922 (6.5)
    OpenSSL library 1.0.2za 1.0.2za 1.0.2y CVE-2021-3712 (7.4)
    Oracle (Sun) JRE and JDK 1.8.0_301 1.8.0_301 1.8.0_291 CVE-2021-2388(5.1)
    CVE-2021-2163(2.6)
    CVE-2021-2161(4.3)
    SQLite 3.34.1 3.34.0 3.33.0 CVE-2021-20227(5.5)

    Updated version of the affected OSS packages come with a future vCenter Server 7.x release.

  • Install NSX Manager from the vSphere Client: vCenter Server 7.0 Update 3c adds a functionality in the vSphere Client to enable installation of NSX Manager. You can see the vSphere Client NSX-T home page that enables the feature. However, from the vSphere Client you can only deploy NSX Manager instances, not NSX-T Data Center. The deployment of NSX-T Data Center still happens from the NSX-T Data Center user interface.

Resolved Issues

The resolved issues are grouped as follows.

Miscellaneous Issues
  • NEW: In the vSphere Client, you might see the alarm Host connection and power state on xxx to change from green to red

    Due to a rare issue with handling Asynchronous Input/Output (AIO) calls, hostd and vpxa services on an ESXi host might fail and trigger alarms in the vSphere Client. In the backtrace, you see errors such as:
    #0 0x0000000bd09dcbe5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1 0x0000000bd09de05b in __GI_abort () at abort.c:90
    #2 0x0000000bc7d00b65 in Vmacore::System::SignalTerminateHandler (info=, ctx=) at bora/vim/lib/vmacore/posix/defSigHandlers.cpp:62
    #3 <signal called="" handler="">
    #4 NfcAioProcessCloseSessionMsg (closeMsg=0xbd9280420, session=0xbde2c4510) at bora/lib/nfclib/nfcAioServer.c:935
    #5 NfcAioProcessMsg (session=session@entry=0xbde2c4510, aioMsg=aioMsg@entry=0xbd92804b0) at bora/lib/nfclib/nfcAioServer.c:4206
    #6 0x0000000bd002cc8b in NfcAioGetAndProcessMsg (session=session@entry=0xbde2c4510) at bora/lib/nfclib/nfcAioServer.c:4324
    #7 0x0000000bd002d5bd in NfcAioServerProcessMain (session=session@entry=0xbde2c4510, netCallback=netCallback@entry=0 '\000') at bora/lib/nfclib/nfcAioServer.c:4805 #8 0x0000000bd002ea38 in NfcAioServerProcessClientMsg (session=session@entry=0xbde2c4510, done=done@entry=0xbd92806af "") at bora/lib/nfclib/nfcAioServer.c:5166

    This issue is resolved in this release. The fix makes sure the AioSession object works as expected. 

  • vCenter Server might become unresponsive due to a memory leak in the VMware Service Lifecycle Manager database

    A memory leak issue with the database of the vmware-vmon service, which manages the lifecycle of vCenter Server, might cause vCenter Server to become unresponsive. In the vSphere Client, you see an error such as:
    Error: [500] An error occurred while fetching identity providers. Try again. If problem persists, contact your administrator
    In the vpxd logs, you see an error such as:
    Failed to get exclusive locl: ODBC error, ERROR : Failed Lock.

    This issue is resolved in this release.

Backup and Restore Issues
  • File-based backup of vCenter Server fails with a DB UNHEALTHY error in the vCenter Server Management Interface

    You might see the error DB UNHEALTHY in the vCenter Server Management Interface while setting a file-based backup of a vCenter Server instance due to some expected changes in the DB schema that the vSAN health service might wrongly consider a health issue.

    This issue is resolved in this release. For more information, see VMware knowledge base article 86084.

  • vCenter Server backup fails with an error about an underlying process status

    When you attempt to backup your vCenter Server system, the operation might fail with a message in the vSphere Client such as Error during component wcp backup Underlying process status. rc: 1. The issue occurs when the vCenter Server PNID cannot resolve due to HTTP or HTTPS proxy settings.

    This issue is resolved in this release.

  • If you use SMB as backup protocol, vCenter Server backup fails with the error Path not exported by the remote filesystem

    As a side effect of the default enablement of the Federal Information Processing Standards (FIPS) in vCenter Server 7.0 Update 3, if you use SMB as the backup protocol, vCenter Server backup fails. In the vSphere Client, you see the error Path not exported by the remote filesystem.

    This issue is resolved in this release. For more information, see VMware knowledge base article 86069.

Installation, Upgrade and Migration Issues
  • Enabling vSphere HA might fail or never complete on ESXi hosts of version later than 7.0 Update 2a

    Due to the recent name change in the Intel i40en driver to i40enu and back to i40en, ESXi hosts in some environments later than ESXi 7.0 Update 2a might have both driver versions, which results in several issues, including vSphere HA failure. vSphere HA might not be successfully enabled on newly added or moved hosts of versions ESXi 7.0 Update 3a, 7.0 Update 3, 7.0 Update 2d, and 7.0 Update 2c.

    This issue is resolved in this release.

  • ISO and URL-based patching from vCenter Server 7.0 Update 3 to vCenter Server 7.0 Update 3a might fail due to unsuccessful update of the completion status

    Patching your vCenter Server system from vCenter Server 7.0 Update 3 to vCenter Server 7.0 Update 3a by using an ISO or a repository URL might fail, because a stage complete status is not available. In the vCenter Server Management Interface, you see an error such as Package discrepancy error, Cannot resume!. If you use CLI, you see errors such as Stage path file doesn't exist and Staging failed. Retry to resume from the current state. Or please collect the VC support bundle.
    The issue occurs because a file integrity check might stop a stage in the patching flow. After the check, the patch operation continues and completes successfully, but the stage complete status fails to update.

    This issue is resolved in this release.

  • Upgrade from vCenter Server 7.0 Update 2 to vCenter Server 7.0 Update 3 fails with a VMware Postgres error

    When you upgrade a single vCenter Server instance from version vCenter Server 7.0 Update 2 to vCenter Server 7.0 Update 3, the upgrade might fail due to an issue with the pg_addons extension that affects the VMware Postgres database.

    In the pg_upgrade_server.log file, you see logs such as ERROR: could not find function "archive_build_segment_list" in file "/opt/vmware/vpostgres/13/lib/pg_addons.so.

    This issue is resolved in this release. For more information, see VMware knowledge base article 86073.

Security Issues
  • vCenter Server 7.0 Update 3c delivers the following security updates:
    • The Spring package in the vSphere Client is updated to version 5.2.4.
    • Apache Struts is updated to version 2.5.28.3.
  • vCenter Server 7.0 Update 3c updates Apache httpd to address CVE-2021-40438. VMware would like to thank Saeed Kamranfar of Sotoon Security for alerting on this issue.

  • Apache log4j is updated to version 2.17 to resolve CVE-2021-44228 and CVE-2021-45046. For more information on these vulnerabilities and their impact on VMware products, please see VMSA-2021-0028.

Known Issues

The known issues are grouped as follows.

vSphere Client Issues
  • NEW: You do not see the VLAN ID in the port properties page of a VMkernel network adapter in the vSphere Client

    In the vSphere Client, when you follow the path Host > Add Networking, after you select a VMkernel network adapter and an existing standard switch, in the Port properties page you might not see the VLAD ID. The issue occurs because the VLAN ID component is part of the network-ui module, which is lazy loaded and needs a trigger to refresh.

    Workaround: Go to Host > Configure > Networking > Virtual Switches to trigger the loading of the network ui module and the VLAD ID appears.

Installation, Upgrade and Migration Issues
  • You do not see a precheck error when patching to vCenter Server 7.0 Update 3c by using CLI

    Due to the name change in the Intel i40en driver to i40enu and back to i40en, vCenter Server 7.0 Update 3c adds an upgrade precheck to make sure that ESXi hosts affected from the change are properly upgraded. In some cases, if such hosts exist in your system, patching from an vCenter Server version earlier than 7.0 Update 3 to a version later than 7.0 Update 3 by using CLI might fail with the error Installation failed. Retry to resume from the current state. Or please collect the VC support bundle.. 

    However, instead of this error, you must see the precheck error message. 

    Workaround: If you do not see the precheck error and patching your system to vCenter Server 7.0 Update 3c fails, make sure all ESXi hosts are upgraded to ESXi 7.0 Update 3c or higher, by using either a baseline created from an ISO or a single image, before upgrading vCenter Server. Do not use patch baselines based on the rollup bulletin. You can find additional debug log information at /var/log/vmware/applmgmt. For more details, see VMware knowledge base articles 87319 and 86447.

  • Upgrade to vSphere 7.0 Update 3c might require additional steps to force a full host-sync

    The supported upgrade sequence for vSphere systems is first to upgrade vCenter Server and then ESXi. However, in certain environments with ESXi hosts of version 7.0 Update 2c and later, you need to update ESXi first to 7.0 Update 3c and then vCenter Server. Such an upgrade sequence requires additional steps to force a full host-sync.

    Workaround: Log in to the appliance shell as a user with super administrative privileges (for example, root) and follow these steps:

    1. Stop the vpxd service.
    2. Run the command /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "update VPX_HOST_SYNC_GEN set master_gen=0 where host_id in (select id from VPX_HOST where product_version like '7.0.3%')".
    3. Start the vpxd service.
  • Hot-patched ESXi hosts with both i40en and i40enu Intel network drivers installed might fail to configure vSphere High Availability after upgrade to vCenter Server 7.0 Update 3c

    Due to the name change in the Intel i40en driver to i40enu and back to i40en, vCenter Server 7.0 Update 3c adds an upgrade precheck to make sure that ESXi hosts affected from the change are properly upgraded. However, if you apply an ESXi hot patch that is released after vCenter Server 7.0 Update 3c and then upgrade your system to vCenter Server 7.0 Update 3c, the hot patch might not be listed in the precheck. As a result, you might not follow the proper steps to the upgrade and vSphere HA might fail to configure on such hosts.

    Workaround: Upgrade the hot-patched ESXi hosts to version 7.0 Update 3c.

Networking Issues
  • When you use the VMware Remote Console, the envoy service might intermittently fail

    An issue with the envoy service specific to the VMware Remote Console might lead to intermittent failures of the service. As a result, the vCenter Server Management Interface or vCenter Server APIs might also become unavailable.

    Workaround: Use the vSphere Client as an alternative to the VMware Remote Console.

Miscellaneous Issues
  • NEW: In the vSphere API Explorer, VMware Datacenter CLI (DCLI) and PowerCLI, you see an API option "contentinternal" that is not functional

    You see an API option contentinternal in the metadata of either the vSphere API Explorer, DCLI and PowerCLI. For example, when you open https://<your vCenter IP>/ui/app/devcenter/api-explorer, you see the option in the select API drop-down menu. This option is not functional.

    Workaround: Ignore the contentinternal API option and do not use it.

Known Issues from Prior Releases

To view a list of previous known issues, click here.

check-circle-line exclamation-circle-line close-line
Scroll to top icon