Title

ESX Server updates are not tested. (Cat II impact)

Discussion

Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New ESX Server patches and updates should be reviewed for the ESX Server before moving them into a production environment. ESX Server patches will be tested first in a development environment and any issues or special precautions will be documented, as a patch could technically disable all virtual networks and machines.

Check Content

Ask the IAO/SA to show you where the test and development ESX Server is located. At the service console of the test and development ESX Server perform the following command: # esxupdate –l query The output will look similar to the following: Installed software bundles -----Name---- --Install Date-- --------Summary-------- 3.5.0-56329 23:37:26 11/04/08 Full installation of ESX 3.5.0-56329 ESX350-200802055-BG 23:49:26 11/04/08 Fix COS running Dell OM5 w/QLogic ESX350-200803066-SG 23:50:02 11/04/08 Fix COS security bug If no patch results are returned, this is a finding. The test and development ESX Server cannot be the production ESX Server(s).

Fix Text

Use the test and development ESX Server to test all patches before moving them to production.

Additional Identifiers

Rule ID: SV-16788r1_rule

Vulnerability ID: V-15847

Group Title: ESX Server updates are not tested.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.