Solved

do I need to update ESXi servers

Posted on 2013-05-29
9
424 Views
Last Modified: 2013-06-10
According to our vulnerability management system we need to update our ESXi 4.1U1 servers to the latest version.
I checked the patch security articles and there are just a couple of vulnerabilities that are reported by vmware.
There are not so much information which feature  of the software is affected by this security hole, so I cannot decide if it is needed or not.
I had a lot of problems in the past with the installation of the updates mainly with windows server and I am very suspicous when I have to update  anything.
Our ESXi server(management network) are on different network segment and connection to them are allowed only from IT department network. Virtualization software that we are using also are vcenter and srm(site recovery manager).
Could you tell me if this updates are so requered and critical, do you update constantly your vmware servers, or any advice maybe.

 The most reported seems to be
•The ESX/ESXi userworld libxml2 library is updated to resolve multiple security issues
-The userworld glibc third-party library is updated to 2.5-58.el5_6.2 resolve multiple security issues
•629880: This release resolves an integer overflow issue in the SFCB that arises when the httpMaxContentLength is changed from its default value to 0 in /etc/sfcb/sfcb.cfg. The integer overflow could allow remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header
0
Comment
Question by:dedri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Expert Comment

by:wrmichael
ID: 39204394
Yes.  Very important to keep your security holes filled.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39204406
Hi,

the lastest version is 5.1 and there are hudge updates to preformance USB redirection ando ther cool things inside even vSphere web client.

If you have managment on other secure network (VLAN) and servers are not published to the net then tehy are stabile. It is all about what hackers or employes wanted from you.

And at the last there is best practice to instal server at new and configure it again if you dont have so large network. Cousee changes to base FILE SYSTEM and FILE SYSTEM TYPE.
0
 
LVL 120
ID: 39204414
Although it's important to maintain and ensure you are up to date, if the patch or upgrade fixes and issue for you, you mat still find that your" vulnerability management system " still triggers on ESXi, even with the latest patches applied, because it triggers on "Linux" like components!
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:dedri
ID: 39204596
Hi  hanccocka,
could you clarify a little bit more what do you mean.
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 250 total points
ID: 39204624
If you update, your ESXi OS, your software scanner - vulnerability management system may still state you have an issue! (it happens!)

I would actually update to ESXi/ESX 4.1 Patch 8 Build 1050704, (latest) but also remember this may require you to update your vCenter Server installation as well, and there is no guarantee this will satisfy your scanner - vulnerability management system.

We update our clients servers, if and when, there is an issue detected, e.g. a bug.

What vulnerability management system are you using?
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 250 total points
ID: 39204639
I have never encountered an issue with installing ESXi patches.  (Upgrades to a different version are another story.)

1) The patches include stability improvements as well as security improvements.
2) Good security practices also protect you against people you trust.  Security patches are only one part of good security, but you should not ignore them because your network is only accessible from the IT department.
3) You can pilot the changes on one of your hosts, and run them for a time until you are confident about stability.


Hancock's comment refers to the fact that ESXi is based on Linux.  Security scanners will identify generic Linux vulnerabilities as well as those specific to ESXi.
0
 

Author Comment

by:dedri
ID: 39204715
qualys is the vulrnerability system
0
 
LVL 120
ID: 39204741
QualysGuard Cloud Security & Compliance Suite?
0
 

Author Comment

by:dedri
ID: 39204770
yes , the same, QualysGuard Cloud
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question