Check: VCENTER-000009
VMware vCenter Server Version 5 STIG:
VCENTER-000009
(in versions v2 r1 through v1 r7)
Title
The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server. (Cat III impact)
Discussion
The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.
Check Content
Check the following conditions: The Update Manager must be configured to use the Update Manager Download Server. The use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal, organization defined source) must be enforced with site policies. If all of the above conditions are not met, this is a finding.
Fix Text
Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet.
Additional Identifiers
Rule ID: SV-250731r799883_rule
Vulnerability ID: V-250731
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |