UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ESXi host must have all security patches and updates installed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256428 ESXI-70-000072 SV-256428r886065_rule High
Description
Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities.
STIG Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide 2023-06-21

Details

Check Text ( C-60103r886063_chk )
Determine the current version and build:

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Summary. Note the version string next to "Hypervisor:".

or

From a Secure Shell (SSH) session connected to the ESXi host, or from the ESXi shell, run the following command:

# vmware -v

Because ESXi hosts should never be able to touch the internet, manually compare the current ESXi version and patch level to the latest available on vmware.com:

https://kb.vmware.com/s/article/2143832

If the ESXi host does not have the latest patches, this is a finding.

If the ESXi host is not on a supported release, this is a finding.

VMware also publishes Advisories on security patches and offers a way to subscribe to email alerts for them.

Go to: https://www.vmware.com/support/policies/security_response
Fix Text (F-60046r886064_fix)
ESXi can be patched in multiple ways, and this fix text does not cover all methods.

Manual patching when image profiles are not used:

- Download the latest "offline bundle" .zip update from vmware.com. Verify the hash.

- Transfer the file to a datastore accessible by the ESXi host, local or remote.

- Put the ESXi host into maintenance mode.

- From an ESXi shell, run the following command:

esxcli software vib update -d

Manual patching when image profiles are used:

From an ESXi shell, run the following command:

# esxcli software sources profile list -d /vmfs/volumes//

Note the available profiles. The organization will usually want the one ending in "-standard".

# esxcli software profile update -p -d /vmfs/volumes//

There will be little output during the update. Once complete, reboot the host for changes to take effect.