Solved

do I need to update ESXi servers

Posted on 2013-05-29
9
417 Views
Last Modified: 2013-06-10
According to our vulnerability management system we need to update our ESXi 4.1U1 servers to the latest version.
I checked the patch security articles and there are just a couple of vulnerabilities that are reported by vmware.
There are not so much information which feature  of the software is affected by this security hole, so I cannot decide if it is needed or not.
I had a lot of problems in the past with the installation of the updates mainly with windows server and I am very suspicous when I have to update  anything.
Our ESXi server(management network) are on different network segment and connection to them are allowed only from IT department network. Virtualization software that we are using also are vcenter and srm(site recovery manager).
Could you tell me if this updates are so requered and critical, do you update constantly your vmware servers, or any advice maybe.

 The most reported seems to be
•The ESX/ESXi userworld libxml2 library is updated to resolve multiple security issues
-The userworld glibc third-party library is updated to 2.5-58.el5_6.2 resolve multiple security issues
•629880: This release resolves an integer overflow issue in the SFCB that arises when the httpMaxContentLength is changed from its default value to 0 in /etc/sfcb/sfcb.cfg. The integer overflow could allow remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header
0
Comment
Question by:dedri
9 Comments
 
LVL 11

Expert Comment

by:wrmichael
ID: 39204394
Yes.  Very important to keep your security holes filled.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39204406
Hi,

the lastest version is 5.1 and there are hudge updates to preformance USB redirection ando ther cool things inside even vSphere web client.

If you have managment on other secure network (VLAN) and servers are not published to the net then tehy are stabile. It is all about what hackers or employes wanted from you.

And at the last there is best practice to instal server at new and configure it again if you dont have so large network. Cousee changes to base FILE SYSTEM and FILE SYSTEM TYPE.
0
 
LVL 119
ID: 39204414
Although it's important to maintain and ensure you are up to date, if the patch or upgrade fixes and issue for you, you mat still find that your" vulnerability management system " still triggers on ESXi, even with the latest patches applied, because it triggers on "Linux" like components!
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:dedri
ID: 39204596
Hi  hanccocka,
could you clarify a little bit more what do you mean.
0
 
LVL 119

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 250 total points
ID: 39204624
If you update, your ESXi OS, your software scanner - vulnerability management system may still state you have an issue! (it happens!)

I would actually update to ESXi/ESX 4.1 Patch 8 Build 1050704, (latest) but also remember this may require you to update your vCenter Server installation as well, and there is no guarantee this will satisfy your scanner - vulnerability management system.

We update our clients servers, if and when, there is an issue detected, e.g. a bug.

What vulnerability management system are you using?
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 250 total points
ID: 39204639
I have never encountered an issue with installing ESXi patches.  (Upgrades to a different version are another story.)

1) The patches include stability improvements as well as security improvements.
2) Good security practices also protect you against people you trust.  Security patches are only one part of good security, but you should not ignore them because your network is only accessible from the IT department.
3) You can pilot the changes on one of your hosts, and run them for a time until you are confident about stability.


Hancock's comment refers to the fact that ESXi is based on Linux.  Security scanners will identify generic Linux vulnerabilities as well as those specific to ESXi.
0
 

Author Comment

by:dedri
ID: 39204715
qualys is the vulrnerability system
0
 
LVL 119
ID: 39204741
QualysGuard Cloud Security & Compliance Suite?
0
 

Author Comment

by:dedri
ID: 39204770
yes , the same, QualysGuard Cloud
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Teach the user how to delpoy the vCenter Server Appliance and how to configure its network settings Deploy OVF: Open VM console and configure networking:
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question