UCF STIG Viewer Logo

The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-64003 VCWN-06-000031 SV-78493r1_rule Low
Description
The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.
STIG Date
VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide 2017-07-11

Details

Check Text ( C-64755r1_chk )
Check the following conditions:
The Update Manager must be configured to use the Update Manager Download Server.
The use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal source) must be enforced with site policies.

Verify the Update Manager download source is not the Internet.
To verify download settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.
On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, verify "Direct connection to Internet" is not selected.

If "Direct connection to Internet" is configured, this is a finding.
If all of the above conditions are not met, this is a finding.
Fix Text (F-69933r1_fix)
Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet.

To configure a Web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, select Use a shared repository. Enter the path or the URL to the shared repository. Click Validate URL to validate the path. Click Apply.