Solved

do I need to update ESXi servers

Posted on 2013-05-29
9
410 Views
Last Modified: 2013-06-10
According to our vulnerability management system we need to update our ESXi 4.1U1 servers to the latest version.
I checked the patch security articles and there are just a couple of vulnerabilities that are reported by vmware.
There are not so much information which feature  of the software is affected by this security hole, so I cannot decide if it is needed or not.
I had a lot of problems in the past with the installation of the updates mainly with windows server and I am very suspicous when I have to update  anything.
Our ESXi server(management network) are on different network segment and connection to them are allowed only from IT department network. Virtualization software that we are using also are vcenter and srm(site recovery manager).
Could you tell me if this updates are so requered and critical, do you update constantly your vmware servers, or any advice maybe.

 The most reported seems to be
•The ESX/ESXi userworld libxml2 library is updated to resolve multiple security issues
-The userworld glibc third-party library is updated to 2.5-58.el5_6.2 resolve multiple security issues
•629880: This release resolves an integer overflow issue in the SFCB that arises when the httpMaxContentLength is changed from its default value to 0 in /etc/sfcb/sfcb.cfg. The integer overflow could allow remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header
0
Comment
Question by:dedri
9 Comments
 
LVL 11

Expert Comment

by:wrmichael
ID: 39204394
Yes.  Very important to keep your security holes filled.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39204406
Hi,

the lastest version is 5.1 and there are hudge updates to preformance USB redirection ando ther cool things inside even vSphere web client.

If you have managment on other secure network (VLAN) and servers are not published to the net then tehy are stabile. It is all about what hackers or employes wanted from you.

And at the last there is best practice to instal server at new and configure it again if you dont have so large network. Cousee changes to base FILE SYSTEM and FILE SYSTEM TYPE.
0
 
LVL 117
ID: 39204414
Although it's important to maintain and ensure you are up to date, if the patch or upgrade fixes and issue for you, you mat still find that your" vulnerability management system " still triggers on ESXi, even with the latest patches applied, because it triggers on "Linux" like components!
0
 

Author Comment

by:dedri
ID: 39204596
Hi  hanccocka,
could you clarify a little bit more what do you mean.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 117

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 250 total points
ID: 39204624
If you update, your ESXi OS, your software scanner - vulnerability management system may still state you have an issue! (it happens!)

I would actually update to ESXi/ESX 4.1 Patch 8 Build 1050704, (latest) but also remember this may require you to update your vCenter Server installation as well, and there is no guarantee this will satisfy your scanner - vulnerability management system.

We update our clients servers, if and when, there is an issue detected, e.g. a bug.

What vulnerability management system are you using?
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 250 total points
ID: 39204639
I have never encountered an issue with installing ESXi patches.  (Upgrades to a different version are another story.)

1) The patches include stability improvements as well as security improvements.
2) Good security practices also protect you against people you trust.  Security patches are only one part of good security, but you should not ignore them because your network is only accessible from the IT department.
3) You can pilot the changes on one of your hosts, and run them for a time until you are confident about stability.


Hancock's comment refers to the fact that ESXi is based on Linux.  Security scanners will identify generic Linux vulnerabilities as well as those specific to ESXi.
0
 

Author Comment

by:dedri
ID: 39204715
qualys is the vulrnerability system
0
 
LVL 117
ID: 39204741
QualysGuard Cloud Security & Compliance Suite?
0
 

Author Comment

by:dedri
ID: 39204770
yes , the same, QualysGuard Cloud
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now