Title

The IAO/SA does not subscribe to vendor security patches and update notifications. (Cat III impact)

Discussion

Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New ESX Server patches and updates should be reviewed in a test environment for the ESX Server before moving them into a production environment.

Check Content

Ask the IAO/SA to provide actual update notification to verify that they are on the subscription list. The email subscription for VMware is security-announce@lists.vmware.com. If no emails or documentation can be provided, this is a finding.

Fix Text

Subscribe to vendor security and patch notifications.

Additional Identifiers

Rule ID: SV-16786r1_rule

Vulnerability ID: V-15845

Group Title: No subscription to VMware vendor website

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.