The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.

From VMware vCenter Server Version 5 Security Technical Implementation Guide

Part of ESXi5-402

Associated with: CCI-000366

SV-51402r2_rule The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.

Vulnerability discussion

The VMware Update Manager (vUM) and vCenter Server (vCS) are VM installable on an ESXi hypervisor host. For all ESXi hypervisors and VMs, including those of the vCS and the vUM, software and system security patches must be installed and up-to-date. For the use case where the vUM hypervisor/VM or the vCS hypervisor/VM reboots while undergoing remediation, this will halt that process. Note that for the use case where the vCS hypervisor/VM reboots, the result is a worst case scenario of a temporary, unplanned vCS outage.

Check content

Ask the SA if software and system security patches are installed and up-to-date for all ESXi hypervisors/VMs, including the vCenter Server (vCS) and the VMware Update Manager (vUM), if they are also installed as VMs rather than as physical machines. If the vUM's hypervisor host/VM patch, update, and remediation procedure does not include its own hypervisor/VM or that of the vCS (if installed as VMs), this check is not a finding. If the vUM's hypervisor host/VM patch, update, and remediation process also includes its own hypervisor host/VM and/or the vCS's hypervisor host/VM, this is a finding.

Fix text

Determine if both the VMware Update Manager (vUM) and vCenter Server (vCS) are installed as physical or virtual machines. No fix is required for vCS/vUM if the vCS and vUM are both installed as physical machines. If the vCS and vUM are installed as virtual machines, they must both be managed either manually or by a secondary installation of vCS and the vUM. All remaining organization hypervisor hosts/VMs must be configured to receive software and security patch updates, via the vUM, on an organization-defined, regularly scheduled basis.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer