The Update Manager must not directly connect to public patch repositories on the Internet.

From VMware vCenter Server Version 5 Security Technical Implementation Guide

Part of ESXi5-433

Associated with: CCI-000366

SV-51427r1_rule The Update Manager must not directly connect to public patch repositories on the Internet.

Vulnerability discussion

In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. Any channel to the Internet represents a threat. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet.

Check content

Verify the Update Manager download source is not the Internet. To verify download settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, verify "Direct connection to Internet" is not selected. If "Direct connection to Internet" is configured, this is a finding.

Fix text

To configure a Web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, select Use a shared repository. Enter the path or the URL to the shared repository. Click Validate URL to validate the path. Click Apply.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer