UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must have all security patches and updates installed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-63313 ESXI-06-000072 SV-77803r1_rule High
Description
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.
STIG Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide 2019-01-04

Details

Check Text ( C-64047r1_chk )
If vCenter Update Manager is used on the network it can be used to scan all hosts for missing patches. From the vSphere Client go to Hosts and Clusters >> Update Manager tab and select scan to view all hosts’ compliance status.

If vCenter Update Manager is not used, a host’s compliance status must be manually determined by the build number. The following VMware KB 1014508 can be used to correlate patches with build numbers.

If the ESXi host does not have the latest patches, this is a finding.

If the ESXi host is not on a supported release, this is a finding.

VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them.
https://www.vmware.com/support/policies/security_response
Fix Text (F-69231r1_fix)
If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Client. From the vSphere Client go to Hosts and Clusters > Update Manager tab and select a non-compliant host and click the Remediate button.

To manually remediate a host the patch file must be copied locally and the following command run:

esxcli software vib update -d