STIGQter STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The ESXi host must have all security patches and updates installed.

DISA Rule

SV-207670r388482_rule

Vulnerability Number

V-207670

Group Title

SRG-OS-000480-VMM-002000

Rule Version

ESXI-65-000072

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Web Client. From the vSphere Web Client go to Hosts and Clusters >> Update Manager tab and select a non-compliant host and click the Remediate button.

To manually remediate a host the patch file must be copied locally and the following command run from an SSH session connected to the ESXi host, or from the ESXi shell:

esxcli software vib update -d <path to offline patch bundle.zip>

Check Contents

If vCenter Update Manager is used on the network it can be used to scan all hosts for missing patches. From the vSphere Client go to Hosts and Clusters > Update Manager tab and select scan to view all hosts compliance status.

If vCenter Update Manager is not used a hosts compliance status must be manually determined by the build number. The following VMware KB 1014508 can be used to correlate patches with build numbers.

If the ESXi host does not have the latest patches, this is a finding.

If the ESXi host is not on a supported release, this is a finding.

VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them.
https://www.vmware.com/support/policies/security_response

Vulnerability Number

V-207670

Documentable

False

Rule Version

ESXI-65-000072

Severity Override Guidance

If vCenter Update Manager is used on the network it can be used to scan all hosts for missing patches. From the vSphere Client go to Hosts and Clusters > Update Manager tab and select scan to view all hosts compliance status.

If vCenter Update Manager is not used a hosts compliance status must be manually determined by the build number. The following VMware KB 1014508 can be used to correlate patches with build numbers.

If the ESXi host does not have the latest patches, this is a finding.

If the ESXi host is not on a supported release, this is a finding.

VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them.
https://www.vmware.com/support/policies/security_response

Check Content Reference

M

Target Key

2925

Comments