Why aren’t VMware Tools at the right version on patched hosts?

A customer called with a question about updating VMware Tools as part of a recent security patch (https://www.vmware.com/security/advisories/VMSA-2019-0009.html).    The patch resolves an address out-of-bounds vulnerability in VMware Tools that was present in certain versions of the software (10.2.x and 10.3.x prior to 10.3.10).  He wanted to install the new version; but the VMware Tools installations on his VMs indicated they were current; but still were running an affected version.  His hosts were patched and up-to-date.  He knew he could manually update VMware Tools on each of his VMs; but was hoping there was an easier way – and there is!

The status of VMware Tools on a virtual machine is relative to the the host.  Typically VMware Tools updates are delivered through an ESXi patch.  In this case, the VMware Tools 10.3.10 release hasn’t been rolled into an ESXi patch yet.  It will be shortly.  The amount of testing that goes into an ESXi patch requires a good amount of time.  When VMware patches VMware Tools like they did in the case of this vulnerability, they release it to customers so they can deploy the fix sooner if they choose.  VMware calls this an Async release.

Deploying the New Version

There are a number of ways to update VMware Tools with a version that hasn’t been delivered via an ESXi patch (without doing it manually for each VM).

1. Use a management tool to push the VMware Tools MSI like any other Windows program – for example SCCM.
2. Setup a shared storage repository for VMware Tools.  This might be useful if you are deploying ESXi via Host Profiles or want very fine-grained control in your environment.
3. Add the updated VMware Tools VIB to vCenter Update Manager.  You can then use the normal processes to update everything from that point on.  @Andrea_Maruo has detailed the process on his blog at vInfastructure.it.

Personally I prefer to use Update Manager to get the VIB installed on my host, remediate each host, and then update VMware Tools using vCenter like I normally would.  This fits into the normal workflow for most vSphere environments, and requires the least amount of additional steps.

The steps below work on Update Manager (part of vCenter 6.x and earlier versions). In vSphere 7, Update Manager has been replaced by vSphere Lifecycle Manager.    Adding VMware Tools Updates in vSphere Lifecycle Manager are similar.

Adding the VMware Tools VIB to your hosts

Here is a summary of the steps I used to ensure VMware Tools in my environment were up to the 10.3.10 version.

My environment is fully patched and VMware Tools for my virtual machines shows as current – however I can see it isn’t the patched version

I login to VMware Portal, and download the offline VMware Tools VIB.  In this case, i needed VMware Tools 10.3.10.

Once the ZIP file has been downloaded, login to vCenter and navigate to Update Manager.  On the Updates tab, click Upload From File.  Click Browse and locate the file you just downloaded.

Once this is done, you will see the new version of VMware Tools in the Non-Critical Host Patches baseline of your repository

From this point on, the rest of the steps are like any other patching operation you would perform

The hosts are now out of compliance with the baseline, and can be remediated

If you look at what will be patched at this point, you will see that the 10.3.10 Async release of VMware Tools will be added to your hosts.

You can begin remediating your hosts.  In this instance – no reboot is required!

Once your hosts are remediated, VMware Tools on your virtual machines will show as out-of-date

Upon updating VMware Tools, you will notice they are now running the proper version

I hope this helps!