UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ESX Server updates are not tested.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15847 ESX0480 SV-16788r1_rule Medium
Description
Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New ESX Server patches and updates should be reviewed for the ESX Server before moving them into a production environment. ESX Server patches will be tested first in a development environment and any issues or special precautions will be documented, as a patch could technically disable all virtual networks and machines.
STIG Date
VMware ESX 3 Server 2016-05-13

Details

Check Text ( C-16195r1_chk )
Ask the IAO/SA to show you where the test and development ESX Server is located. At the service console of the test and development ESX Server perform the following command:
# esxupdate –l query

The output will look similar to the following:

Installed software bundles
-----Name---- --Install Date-- --------Summary--------
3.5.0-56329 23:37:26 11/04/08 Full installation of ESX 3.5.0-56329

ESX350-200802055-BG 23:49:26 11/04/08 Fix COS running Dell OM5 w/QLogic

ESX350-200803066-SG 23:50:02 11/04/08 Fix COS security bug

If no patch results are returned, this is a finding.

The test and development ESX Server cannot be the production ESX Server(s).
Fix Text (F-15801r1_fix)
Use the test and development ESX Server to test all patches before moving them to production.