Contents x
    H Series: Update the CTERA Edge Filer ESXI Version Security Patches
    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    H Series: Update the CTERA Edge Filer ESXI Version Security Patches

    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    VMware issues security advisories when necessary and creates patches for the vulnerabilities discovered in the ESXi software. These vulnerabilities impact the H Series CTERA Edge Filers. For example:

    • CVE-2020-3992 – ESXi OpenSLP remote code execution vulnerability is assessed as critical to resolve.

    The following vulnerabilities have been assessed as important:

    • CVE-2020-3981 – TOCTOU out-of-bounds read vulnerability.
    • CVE-2020-3995 – VMCI host driver memory leak vulnerability.

    CVE-2020-3982 – TOCTOU out-of-bounds write vulnerability is assessed with moderate severity.

    For more details about these VMware vulnerabilities and other vulnerabilities within the VMware product line, refer to https://www.vmware.com/security/advisories/VMSA-2020-0023.html.

    For more details about Security Vulnerability CVE-2021-44228 (Log4Shell), see https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

    This document describes the procedure to fix these vulnerabilities in your H Series CTERA Edge Filers.

    Notes

    Contact CTERA support if you have been authorized to manage your CTERA Edge Filer in vCenter, as the procedure is different.
    You need an Internet connection to perform the following procedure.
    The datastore names and ESXi password used in this document are the default names provided by CTERA with your CTERA Edge Filer. If you changed these names use the changed names where appropriate.

    Step-by-step guide

    To prepare the environment for the vulnerability upgrade:

    1. If you do not have an SSH client, go to https://www.putty.org/ and download PuTTY to a PC, and then install it on a PC that has access to the CTERA Edge Filer.
    2. Open a web browser. You can use any of the latest two releases of Google Chrome, Apple Safari and Microsoft Edge.
    3. Enter the CTERA Edge Filer's IP address to navigate to the CTERA Edge Filer.
      The browser displays the CTERA Edge Filer Log In page:
    4. Enter the user name and password for accessing the CTERA Edge Filer and click Log In.
    5. In the status bar, click configuration icon and then click Shutdown.
      A confirmation message is displayed.
    6. Click Yes.
      The CTERA Edge Filer shuts down.
      Cleanly shut down any other server, such as a print server, you have running on the CTERA Edge Filer.
    Note

    If you do not shut each server down via the server software, you can power off the virtual machine in the VMware Host Client.

    To prepare the ESXi host for the vulnerability upgrade:

    1. Log in to the VMware Host Client.
      Use a browser on the same network to as the CTERA Edge Filer to access the VMware Host Client.
      The user name is root and the password is CTERA123!.
      The VMware Host Client is displayed, showing the Host details.
    2. Note the version, highlighted in the above screenshot, as you need this to download the correct vulnerability patch from CTERA.
    3. Download to a PC the vulnerability zip for your version of ESXi (the latest version of ESXi 7.x includes the security patches).
      ESXi version 7.0 - Download https://cti.ctera.com/invitations?share=66bba89495d3eddb9e9a
      ESXi versions 6.5 and 6.7 are end of life. CTERA cannot guarantee to support any issue that arises from ESXi 6.5 or 6.7. The following security patches are available for ESXi 6.5 and 6.7:
      ESXi version 6.5 - Download https://cti.ctera.com/invitations?share=9a5ba20f1ddbb84c3b76
      ESXi version 6.7 - Download https://cti.ctera.com/invitations?share=36a588924412e151a205
      Version 6.7 has several known and serious security vulnerabilities which have been addressed by VMware and resolved in version 7.0. In order to continue to provide the best service possible, CTERA recommends that you upgrade the edge filer version of ESXi to ESXi version 7.0.
    4. If you need to power off any other server, such as a print server, in the VMware Host Client, click Virtual Machines in the Navigator and right-click each virtual machine to power off and then click Power > Power off.
    5. In the VMware Host Client, right-click Host in the Navigator and select Enter maintenance mode.
    6. Click Yes to enter maintenance mode.
      The host server graphic changes to show it is in maintenance mode.
    7. Select Host > Manage > Services in the Navigator and right-click TSM and click Start.
    8. Select Host > Manage > Services in the Navigator and right-click TSM-SSH and click Start.
    9. Click Storage in the Navigator.
    10. Right-click the datastore, dependent on you CTERA Edge Filer model, and click Browse:
      HC400, HC400E and HC400T - right-click the CTERAGatewayFirm datastore.
      HC1200 - right-click the CTERAGatewaySSD datastore.
      HC2400M - right-click the CTERAGatewaySD datastore.
      The Datastore browser window is displayed.
    11. Click Create directory.
      The New directory window is displayed.
    12. Enter upgrade for the directory name and click Create directory.
    13. In the Datastore browser window, select the upgrade directory and click Upload in the top right of the Datastore browser window.
    14. Select the zip file you downloaded in step 3 and click Open.

    To upgrade the ESXi host with the vulnerability fixes:

    1. Open PuTTY, that you downloaded and installed in step 1 in the first procedure (To prepare the environment for the vulnerability upgrade).
      Note

      If you use a different SSH client, open this client. The following steps are based on the PuTTY application.

    2. Enter the IP address in the Host Name (or IP address) field and click Open.
      The IP address is the same IP address you used to access the VMware Host Client.
    3. Login as root and the password is CTERA123!
    4. Run the following command for your version of ESXi, that you noted in step 2 in the procedure To prepare the ESXi host for the vulnerability upgrade.
      HC400, HC400E and HC400T and ESXi 6.5 - run esxcli software profile update -p ESXi-6.5.0-20201104001-standard -d /vmfs/volumes/"CTERAGatewayFirm"/"upgrade"/ESXi650-202011001.zip
      HC400, HC400E and HC400T and ESXi 6.7 - run esxcli software profile update -p ESXi-6.7.0-20201103001-standard -d /vmfs/volumes/"CTERAGatewayFirm"/"upgrade"/ESXi670-202011001.zip
      HC400, HC400E and HC400T and ESXi 7.0 - run esxcli software profile update -p ESXi-7.0U1a-17119627-standard -d /vmfs/volumes/"CTERAGatewayFirm"/"upgrade"/VMware-ESXi-7.0U1a-17119627-depot.zip
      HC1200 and ESXi 6.5 - run esxcli software profile update -p ESXi-6.5.0-20201104001-standard -d /vmfs/volumes/"CTERAGatewaySSD"/"upgrade"/ESXi650-202011001.zip
      HC1200 and ESXi 6.7 - run esxcli software profile update -p ESXi-6.7.0-20201103001-standard -d /vmfs/volumes/"CTERAGatewaySSD"/"upgrade"/ESXi670-202011001.zip
      HC1200 and ESXi 7.0 - run esxcli software profile update -p ESXi-7.0U1a-17119627-standard -d /vmfs/volumes/"CTERAGatewaySSD"/"upgrade"VMware-ESXi-7.0U1a-17119627-depot.zip
      HC2400M and ESXi 6.5 - run esxcli software profile update -p ESXi-6.5.0-20201104001-standard -d /vmfs/volumes/"CTERAGatewaySD"/"upgrade"/ESXi650-202011001.zip
      HC2400M and ESXi 6.7 - run esxcli software profile update -p ESXi-6.7.0-20201103001-standard -d /vmfs/volumes/"CTERAGatewaySD"/"upgrade"/ESXi670-202011001.zip
      HC2400M and ESXi 7.0 - run esxcli software profile update -p ESXi-7.0U1a-17119627-standard -d /vmfs/volumes/"CTERAGatewaySD"/"upgrade"/VMware-ESXi-7.0U1a-17119627-depot.zip
      The command takes a few minutes to complete.
    5. After the update has completed, run the following command to reboot the ESXi host: reboot.
      Wait a few minutes for the ESXi to reboot.

    To restart the CTERA Edge Filer and any additional servers:

    1. Log back in to the VMware Host Client.
    2. In the VMware Host Client, right-click Host in the Navigator and select the Exit maintenance mode.The ESXi version is updated with the vulnerability patches.
    3. Clean up your CTERA Edge Filer.
      1. Right-click the datastore, dependent on the CTERA Edge Filer model, and click Browse:
        HC400, HC400E and HC400T - right-click the CTERAGatewayFirm datastore.
        HC1200 - right-click the CTERAGatewaySSD datastore.
        HC2400M - right-click the CTERAGatewaySD datastore.
        The Datastore browser window is displayed.
      2. Select to the upgrade directory you created in steps 11 and 12 in the procedure To prepare the ESXi host for the vulnerability upgrade.
      3. Right-click the zip file in the directory and click Delete.
        A Confirm delete window is displayed.
      4. Click Delete to confirm the delete.
        Note

        Ignore any error that is displayed.

    4. In the VMware Host Client click Virtual Machines in the Navigator and right-click the CTERA Edge Filer virtual machine and click Power > Power on.
    5. If you have additional virtual machines, such as a print server, that were not automatically started when you rebooted ESXi, in the VMware Host Client click Virtual Machines in the Navigator and right-click each virtual machine to power on and then click Power > Power on.

    Security Vulnerability CVE-2021-44228 (Log4Shell)
    Vulnerability Remediation

    Was this article helpful?
    What's Next
    Copyright © CTERA Networks Ltd. All Rights Reserved