vCenter Server 7.0 Update 3i | 08 DEC 2022 | ISO Build 20845200

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New

  • vCenter Server 7.0 Update 3i delivers vCenter Server fixes that you can see in the Resolved Issues section.

  • This release resolves CVE-2022-31697, and CVE-2022-31698. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2022-0030.
     
  • This release resolves CVE-2021-22048. For more information on this vulnerability and its impact on VMware products, see VMSA-2021-0025.
     
  • This release resolves CVE-2020-28196, which impacts Integrated Windows Authentication (IWA) authentications.

Earlier Releases of vCenter Server 7.0

Features, resolved and known issues of vCenter Server are described in the release notes for each release. Release notes for earlier releases of vCenter Server 7.0 are:

For internationalization, compatibility, installation, upgrade, open source components and product support notices, see the VMware vSphere 7.0 Release Notes.
For more information on vCenter Server supported upgrade and migration paths, please refer to VMware knowledge base article 67077.

Patches Contained in This Release

This release of vCenter Server 7.0 Update 3i delivers the following patch:

For a table of build numbers and versions of VMware vCenter Server, see VMware knowledge base article 2143838.

Patch for VMware vCenter Server Appliance 7.0 Update 3i

Product Patch for vCenter Server containing VMware software fixes, security fixes, and third-party product fixes.

This patch is applicable to vCenter Server.

Download Filename VMware-vCenter-Server-Appliance-7.0.3.01100-20845200-patch-FP.iso
Build 20845200
Download Size 6574.7 MB
md5sum 7adaeec6ae1cc0816e570d38b6266cd9
sha256checksum 9472d6f544123c9db4c325df5d5228f6aca2e0bbcbab7536d379611e35aa382f

Download and Installation

To download this patch from VMware Customer Connect, you must navigate to Products and Accounts > Product Patches. From the Select a Product drop-down menu, select VC and from the Select a Version drop-down menu, select 7.0.3.

  1. Attach the VMware-vCenter-Server-Appliance-7.0.3.01100-20845200-patch-FP.iso file to the vCenter Server CD or DVD drive.
  2. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:
    • To stage the ISO:
      software-packages stage --iso
    • To see the staged content:
      software-packages list --staged
    • To install the staged rpms:
      software-packages install --staged

For more information on using the vCenter Server shells, see VMware knowledge base article 2100508.

For more information on patching vCenter Server, see Patching the vCenter Server Appliance.

For more information on staging patches, see Stage Patches to vCenter Server Appliance.

For more information on installing patches, see Install vCenter Server Appliance Patches.

For more information on patching using the Appliance Management Interface, see Patching the vCenter Server by Using the Appliance Management Interface.

Product Support Notices

  • Starting with vSphere 7.0 Update 3i, when you configure the reverse proxy on the vCenter Server system to enable smart card authentication, you must use port 3128, which is set and opened automatically, but you must be permitted access to the port on the respective vCenter Server. Check your perimeter firewalls to ensure that access has been granted. Make sure you restart the STS service after you configure the rhttpproxy service.
    For more information, see Configure the Reverse Proxy to Request Client Certificates and VMware knowledge base articles 78057 and 90542.

Resolved Issues

The resolved issues are grouped as follows.

Server Configuration Issues
  • Hardware labels for Dynamic DirectPath I/O devices do not persist across ESXi host reboots

    Hardware labels assigned to Dynamic DirectPath I/O devices in a vCenter Server system might not persist across reboots of the ESXi hosts. As a result, you must assign a hardware label after each reboot.

    This issue is resolved in this release.

  • ESXi hosts intermittently become unresponsive to vCenter Server

    In rare cases, when the password of a vpxuser is not in sync with the password maintained by the vpxd service or is expired, ESXi hosts might become unresponsive to vCenter Server.

    This issue is resolved in this release.

  • You might see false vCenter Server alarms for a failed email delivery

    If a task for sending emails from vCenter Server times out, you might see a false alarm with a message such as cannot send email to although the email is sent successfully.

    This issue is resolved in this release. The fix increases the timeout for the sendmail task.

Virtual Machine Management Issues
  • VM power on fails admission check at an ESXi host with the error InsufficientMemoryResourcesFault

    If some virtual machines in a resource pool have a memory demand exceeding the configured memory reservation of an ESXi host, DRS might pass incorrect resource pool reservation settings to the host. As a result, the power on of such VMs fails admission check in the ESXi host.

    This issue is resolved in this release.

  • Removing a virtual TPM device during a VM clone operation might cause the task to fail

    If you clone a VM with a virtual Trusted Platform Module (vTPM) and add a VirtualDeviceSpec::remove of the vTPM device in CloneSpec.location.deviceChange or CloneSpec.config.deviceChange, the ESXi host throws an exception such as The virtual machine is configured to require encryption. The removal of the vTPM might cause the clone operation to fail.

    This issue is resolved in this release.

  • vSphere Storage DRS operations with virtual machines fail with an error: The available storage IOPs capacity is not sufficient for the operation

    If some VMs in a storage cluster have storage I/O reservations, vSphere Storage DRS might fail to balance the storage cluster and throw an error such as The available storage IOPs capacity is not sufficient for the operation.

    This issue is resolved in this release. The manual workaround is to set the vSphere Storage DRS advanced option EnforceIOReservations to 0.

  • In the vSphere Client, if you remove a vTPM device from a VM or VM template during a clone operation, cloning might fail

    In the vSphere Client, when you clone a VM or a VM template with a vTPM device, if you remove the device for the target VM or template at the hardware customization step, the clone operation might fail.

    This issue is resolved in this release.

  • You cannot put ESXi hosts with vSphere Cluster Services (vCLS) virtual machines in Maintenance Mode

    Even users who are part of the Administrators SSO group might not be able put ESXi hosts with vCLS VMs in Maintenance Mode, because vCenter Server by default treats vCLS VMs as system VMs and prevents any configuration or operations on the vCLS VMs. For example, if you have vCLS VMs created on a vSAN datastore, the vCLS VM get vSAN encryption and VMs cannot be put in maintenance mode unless the vCLS admin role has explicit migrate permissions for encrypted VMs.

    This issue is resolved in this release. 

  • An unhandled exception when posting a vCLS health event might cause the vpxd service to fail

    An unhandled exception when posting a vCLS health event might cause the vpxd service to fail with an error such as Vmacore::System::SignalTerminateHandler (info=info@entry=0x0, ctx=ctx@entry=0x0).

    This issue is resolved in this release.

CIM and API Issues
  • A PbmCheckCompliance PBM API call invoked with a public SDK client fails with a deserialization error

    For entities provisioned in a vSAN datastore, the PbmCheckCompliance PBM API call invoked with a public SDK client returns VsanComplianceResult type in the result. VsanComplianceResult is an internal type that is not defined in the public PBM SDK. As a result, the public client does not recognize the type VsanComplianceResult while deserializing the API result and throws a deserialization error.

    This issue is resolved in this release.

vSphere Lifecycle Manager Issues
  • When you use a vSphere Lifecycle Manager baseline based on a rollup bulletin customized with the VMware Image Builder, remediation of ESXi hosts might fail with an unknown error

    In certain cases, when you use a vSphere Lifecycle Manager baseline based on an Image Builder-customized rollup bulletin to remediate ESXi hosts, in the vSphere Client you might see an error such as VMware vSphere Lifecycle Manager had an unknown error. Check the events and log files for details.. In the esxupdate.log file on impacted hosts, you see an error such as This upgrade transaction would skip ESXi Base Image VIB(s) VMware_bootbank_esx-ui_, VMware_locker_tools-light_, which could cause failures post upgrade. . The issue occurs due to a recently added upgrade completeness check in the rollup upgrade code path to prevent partial upgrades. This check might conflict with some workflows where Image Builder is used to remove some VIBs, such as the VM Tools (tools-light) VIB.    

    This issue is resolved in this release. The fix allows the removal of the vSphere Client (esx-ui) and VM Tools (tools-light) VIBs for remediations with a vSphere Lifecycle Manager baseline based on an Image Builder-customized rollup bulletin. However, if you need to remove other VIBs, you must create a customized ISO in Image Builder and use an upgrade baseline based on that ISO to perform the upgrade.

Miscellaneous Issues
  • vCenter Server might run out of storage space due to access logs accumulated under /var/log/vmware/vmware-sps

    The vmware-sps service might generate access log files that do not automatically clean up. Depending on the usage of the service, such logs might cause vCenter Server to run out of log storage.

    This issue is resolved in this release.

  • vCenter Server becomes unresponsive because /storage/log and /storage/core volumes fill up

    Due to a rare race condition, a vCenter Server might continue attempts to access a session that is already closed. As a result, the /storage/log and /storage/core volumes fill up and might cause the vCenter Server to become unresponsive.

    This issue is resolved in this release.

  • You do not see the button to add permissions to objects in the vSphere Client until you refresh the screen

    In the vSphere Client, when you navigate to Home > Inventory > Permissions, you might not see the button to add a permission until you refresh the screen. In rare cases, the button is not active after a screen refresh.

    This issue is resolved in this release.

  • In very rare cases, Virtual Desktop Infrastructure (VDI) tasks might fail in result of intermittent vCenter Server unresponsiveness

    Rarely, as VM events that potentially lead to a bad state accrue, this could lead to a VM misconfiguration and in very rare cases, to a missing VM layout. As a result, vCenter Server might become intermittently unresponsive when querying the database for a VM layout that does not exist. In such cases, VDI tasks might also fail.

    This issue is resolved in this release.

  • Downloading small files over NFC stops or fails intermittently

    If your vSphere system is busy with multiple calls to connect to ESX hosts to download files from datastores by using NFC, many attempts to retry a delayed or failed call might accumulate unnecessary load of datastore refresh operations. As a result, NFC performance aggravates and downloading small files might stop or fail intermittently.

    This issue is resolved in this release. The fix reduces unnecessary load of datastore refresh operations.

  • vSphere vMotion operations across Resource Pools might fail with insufficient resource error

    vSphere vMotion operations across Resource Pools might fail with insufficient resource error. The issue affects mostly VMware Cloud Director.

    This issue is resolved in this release.

Networking Issues
  • GET VM REST API fails with an internal server error

    When you use a REST API function such as /rest/vcenter/vm/{vm-id}, the call might fail with an error message such as Internal server error: Error: Http error 500 while requesting '/rest/vcenter/vm/vm-xx’.
    The issue occurs because the networkBootProtocol value might not persist in the vCenter Server database after reconfiguring the VM. As a result, when vCenter Server restarts, the networkBootProtocol value is not available and the function /rest/vcenter/vm/{vm-id} fails.

    The issue is resolved in this release. The fix makes sure that the fixed now and the networkBootProtocol value persists in the vCenter Server database after a VM reconfigure and vCenter Server restart.

  • In vSphere environments with Cisco Application Centric Infrastructure (ACI) installed, the vpxd service might become unresponsive

    In vSphere environments with ACI installed, the vpxd service might not properly handle ESXi host local ports and become unresponsive. In the vpxd.log, you see errors such as: ODBC error: (22003) - ERROR: numeric field overflow;.

    This issue is resolved in this release.

  • VM clone fails with an error and newly created dvPort remains in vCenter Server database

    If a virtual machine clone spec has the guestinfo.resync.mac.addr key in the extraConfig elements, such as the following:
    <ovf:Info>Virtual hardware requirements</ovf:Info><vmw:ExtraConfig vmw:key="guestinfo.resync.mac.addr"/>, a cloning operation might fail, because in some cases, a value for the key might not pass and remain unset. In the vpxd logs, you see with an error such as vmodl.fault.InvalidArgument and error messages like such as A specified parameter was not correct: config.extraConfig["guestinfo.resync.mac.addr. As a result, the newly created dvPort for the failed clone remains unused in the vCenter Server database.

    This issue is resolved in this release. The fix makes sure to remove unused dvPort from the vCenter Server database. If the error persists, you must remove the guestinfo.resync.mac.addr key in the extraConfig elements or set a valid MAC address as value. 

  • A link aggregation group (LAG) might intermittently go down and up when a vSphere Distributed Switch uplink removal

    After a removal of a free VDS uplink, a LAG might go down and up in a short time. As a result, virtual machines that use that LAG as uplink might lose network connectivity.

    This issue is resolved in this release.

  • You might see delayed response from vCenter Server due to insufficient HTTP2 write buffer

    In busy environments, vCenter Server might delay response to tasks due to insufficient HTTP2 write buffer.

    This issue is resolved in this release. 

  • The rhttpproxy service occasionally fails with a coredump reporting a buffer overflow

    When the rhttpproxy service performs multiple operations on incoming URIs, it might miscalculate the buffer offset of each connection, which potentially leads to errors such as buffer overflows and negative reads. As a result, the service fails.

    This issue is resolved in this release.

  • If applications in your vSphere environment produce HTTP headers larger than 60 KiB, vCenter Server tasks might fail

    In rare cases, HTTP headers from applications in your vSphere environment might exceed the limit of 60 KiB. As a result, vCenter Server tasks such as editing vSphere DRS settings might fail with an error similar to: Error Loading Data - An error occurred while trying to load data. This could be due to temporary outage. You can retry the operation by clicking retry button.

    This issue is resolved in this release. The fix extends the max configurable limit for HTTP headers to 96 KiB. You can add the following parameter to your config.xml file: <maxRequestHeadersKb>96</maxRequestHeadersKb>

  • In pure IPv6 environments vCenter Server might experience intermittent network connectivity issues

    vCenter Server might experience intermittent network connectivity issues in a pure IPv6 environment due to reaching the internal retry limit when attempting to connect to a system service listening only on IPv6.

    This issue is resolved in this release. 

Security Issues
  • vCenter Server 7.0 Update 3i provides the following security updates:
    • This release resolves CVE-2022-31697, and CVE-2022-31698. For more information on these vulnerabilities and their impact on VMware products, see VMSA-2022-0030.
    • This release resolves CVE-2021-22048. For more information on this vulnerability and its impact on VMware products, see VMSA-2021-0025.
    • This release resolves CVE-2020-28196, which impacts Integrated Windows Authentication (IWA) authentications.
    • Eclipse Jetty is updated to version 9.4.48.v20220622.
    • Apache Tomcat is updated to version 8.5.82/9.0.65.
    • Jackson and Jackson-databind are updated to version 2.13.2/2.13.2.2.
    • The Spring Framework is updated to version 5.2.22/5.3.22.
    • Google Gson is updated to version 2.9.0.
    • PostgreSQL JDBC driver is updated to version 42.5.0.
    • The Commons Configuration software library is updated to version 2.8.0.
    • The SnakeYAML library is updated to version 1.31.
    • The Open-JDK package is updated to version 1.8.0_345.
    • Apache log4j is updated to versions 2.17.1
    • vPostgreSQL DB is updated to 13.8.0
    • See the PhotonOS release notes for open source changes.
vSAN Issues
  • You see a black screen during network setting configuration of a vSAN cluster

    In the Virtual Appliance Management Interface, when you edit the settings of a selected network adaptor, the Edit settings screen might appear black. A similar issue occurs in the vSphere Client when you try to edit the settings of a distributed switch in the Advanced Options screen under the Cluster Quickstart configuration wizard.

    This issue is resolved in this release.

  • You see vSAN health warnings such as Unable to fetch key provider details on host.{causeMessage}

    If your system has vSAN encryption with a vSphere Native Key Provider, you might see vSAN health warnings such as Unable to fetch key provider details on host.{causeMessage}, because the data-at-rest encryption alarm might use an old API.

    This issue is resolved in this release.

vSphere Lifecycle Manager Issues
  • You cannot install an extension VIB of version earlier than the vCenter Server version by using a vSphere Lifecycle Manager workflow

    If you upload an extension VIB of version earlier than the vCenter Server version, for example 7.0 to 7.0 Update 2, in the vSphere Lifecycle Manager depot, the VIB appears as non-compliant during a pre-upgrade scan, as expected. However, if the vSphere Lifecycle Manager restarts for some reason before you install the VIB, it displays as compliant. As a result, when you run an upgrade, the VIB is not installed.

    This issue is resolved in this release.

Known Issues

The known issues are grouped as follows.

vSphere Client Issues
  • You cannot export lists of Inventory objects after upgrading to vCenter Server 7.0 Update 3i

    ​After upgrading to vCenter Server 7.0 Update 3i, in the vSphere Client, when you try to export a file with a list of Inventory objects, such as VMs, Hosts, and Datastores, the task fails with an error Export Data Failure

    Workaround: For more information, see VMware knowledge base article 90440.

Known Issues from Prior Releases

To view a list of previous known issues, click here.

check-circle-line exclamation-circle-line close-line
Scroll to top icon