?
Solved

do I need to update ESXi servers

Posted on 2013-05-29
9
Medium Priority
?
442 Views
Last Modified: 2013-06-10
According to our vulnerability management system we need to update our ESXi 4.1U1 servers to the latest version.
I checked the patch security articles and there are just a couple of vulnerabilities that are reported by vmware.
There are not so much information which feature  of the software is affected by this security hole, so I cannot decide if it is needed or not.
I had a lot of problems in the past with the installation of the updates mainly with windows server and I am very suspicous when I have to update  anything.
Our ESXi server(management network) are on different network segment and connection to them are allowed only from IT department network. Virtualization software that we are using also are vcenter and srm(site recovery manager).
Could you tell me if this updates are so requered and critical, do you update constantly your vmware servers, or any advice maybe.

 The most reported seems to be
•The ESX/ESXi userworld libxml2 library is updated to resolve multiple security issues
-The userworld glibc third-party library is updated to 2.5-58.el5_6.2 resolve multiple security issues
•629880: This release resolves an integer overflow issue in the SFCB that arises when the httpMaxContentLength is changed from its default value to 0 in /etc/sfcb/sfcb.cfg. The integer overflow could allow remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header
0
Comment
Question by:dedri
9 Comments
 
LVL 11

Expert Comment

by:wrmichael
ID: 39204394
Yes.  Very important to keep your security holes filled.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39204406
Hi,

the lastest version is 5.1 and there are hudge updates to preformance USB redirection ando ther cool things inside even vSphere web client.

If you have managment on other secure network (VLAN) and servers are not published to the net then tehy are stabile. It is all about what hackers or employes wanted from you.

And at the last there is best practice to instal server at new and configure it again if you dont have so large network. Cousee changes to base FILE SYSTEM and FILE SYSTEM TYPE.
0
 
LVL 126
ID: 39204414
Although it's important to maintain and ensure you are up to date, if the patch or upgrade fixes and issue for you, you mat still find that your" vulnerability management system " still triggers on ESXi, even with the latest patches applied, because it triggers on "Linux" like components!
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 

Author Comment

by:dedri
ID: 39204596
Hi  hanccocka,
could you clarify a little bit more what do you mean.
0
 
LVL 126

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1000 total points
ID: 39204624
If you update, your ESXi OS, your software scanner - vulnerability management system may still state you have an issue! (it happens!)

I would actually update to ESXi/ESX 4.1 Patch 8 Build 1050704, (latest) but also remember this may require you to update your vCenter Server installation as well, and there is no guarantee this will satisfy your scanner - vulnerability management system.

We update our clients servers, if and when, there is an issue detected, e.g. a bug.

What vulnerability management system are you using?
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 1000 total points
ID: 39204639
I have never encountered an issue with installing ESXi patches.  (Upgrades to a different version are another story.)

1) The patches include stability improvements as well as security improvements.
2) Good security practices also protect you against people you trust.  Security patches are only one part of good security, but you should not ignore them because your network is only accessible from the IT department.
3) You can pilot the changes on one of your hosts, and run them for a time until you are confident about stability.


Hancock's comment refers to the fact that ESXi is based on Linux.  Security scanners will identify generic Linux vulnerabilities as well as those specific to ESXi.
0
 

Author Comment

by:dedri
ID: 39204715
qualys is the vulrnerability system
0
 
LVL 126
ID: 39204741
QualysGuard Cloud Security & Compliance Suite?
0
 

Author Comment

by:dedri
ID: 39204770
yes , the same, QualysGuard Cloud
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question