UCF STIG Viewer Logo

The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258944 VCSA-80-000277 SV-258944r961863_rule Low
Description
vCenter and the embedded Lifecycle Manager system must never have a direct route to the internet. Despite this, updates and patches sourced from VMware on the internet must be delivered in a timely manner. There are two methods to accomplish this: a proxy server and the Update Manager Download Service (UMDS). UMDS is an optional module for Lifecycle Manager that fetches upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to an isolated Lifecycle Manager directly. Alternatively, a proxy for Lifecycle Manager can be configured to allow controlled, limited access to the public internet for the sole purpose of patch gathering. Either solution mitigates the risk of internet connectivity by limiting its scope and use.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62684r934488_chk )
Check the following conditions:

1. Lifecycle Manager must be configured to use the UMDS.

OR

2. Lifecycle Manager must be configured to use a proxy server for access to VMware patch repositories.

OR

3. Lifecycle Manager must disable internet patch repositories and any patches must be manually validated and imported as needed.

Option 1:

From the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Setup.

Click the "Change Download Source" button.

Verify the "Download patches from a UMDS shared repository" radio button is selected and that a valid UMDS repository is supplied.

Click "Cancel".

If this is not set, this is a finding.

Option 2:

From the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Setup.

Click the "Change Download Source" button.

Verify the "Download patches directly from the internet" radio button is selected.

Click "Cancel".

Navigate to the vCenter Server Management interface at https://:5480 >> Networking >> Proxy Settings.

Verify that "HTTPS" is "Enabled".

Click the "HTTPS" row.

Verify the proxy server configuration is accurate.

If this is not set, this is a finding.

Option 3:

From the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Downloads.

Verify the "Automatic downloads" option is disabled.

From the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Setup.

Verify any download sources are disabled.

If this is not set, this is a finding.
Fix Text (F-62593r934489_fix)
Option 1:

From the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Setup.

Click the "Change Download Source" button.

Select the "Download patches from a UMDS shared repository" radio button and supply a valid UMDS repository.

Click "Save".

Option 2:

From the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Setup.

Click the "Change Download Source" button.

Select the "Download patches directly from the internet" radio button.

Click "Save".

Navigate to the vCenter Server Management interface at https://:5480 >> Networking >> Proxy Settings.

Click "Edit".

Slide "HTTPS" to "Enabled".

Supply the appropriate proxy server configuration.

Click "Save".

Option 3:

From the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Downloads.

Click "Edit" and uncheck "Download patches".

Under "Patch Setup" select each download source and click Disable.