Recently there was an article on “Patch Tuesday for VMware” over at Virtualization.info. It is an interesting article that raised some questions that we thought we might be able to shed some light on. The article was more focused on patching and not security alone, but since patching has now been so closely associated with security, so I’ll jump in and provide a response on our security blog.
As the article points out, "patching is a necessary evil" – and that the existence of ESX patches should not come as a shock to anyone. So let’s talk about the sinister plan behind the increase in ESX patches. Fortunately, the answer is in the article itself. Our patches contain a lot of different things, from hardware compatibility updates, feature enhancements, security fixes, etc. Based on customer feedback, we started creating more discrete patches instead of creating specific update releases that included all the changes and fixes in one package. By creating discrete packages for each of these features, customers have more choice on what to deploy quickly and what to deploy later. This fits nicely with the best practices that customers already have in place around patching. Many customers already have a triage process that helps them evaluate what patches need to go in now and which ones can be bundled together for deployment later, like once a quarter. When these patches get released is important, but not as important as when a customer needs to actually deploy them.
We also want customers to view ESX as an appliance – or more accurately, as a product that has appliance-like characteristics. So what makes VMware different from other vendors on the patching issue? The good news is that there are specific features in our products that enable us to help customers do their patching without the pain they might be used to. VMotion (also called Live Migration) is a key feature that customers use to move their existing VM’s to other systems, patch ESX, and transition those VM’s back to the patched ESX system. Not easy enough? We’ve now added Update Manager that automates this entire process for the administrator, including downloading the patches and applying them directly to ESX. This feature is not available in any other products in this class, so we we’re offering customers something unique and valuable to address this pain.
Speaking of appliances, another thing to consider is that we are now offering ESX in a number of different form-factors, including the brand new ESX Server 3i. 3i will have a significantly different patch characteristics – it does not have a Console OS and has a different patching mechanism than ESX that will be very attractive to customers.
So, in summary – we’re not trying to surprise anyone by issuing patches for ESX, and are doing a lot of work to make sure that customers have the best patching experience when it comes to ESX. Just like any other product, we hope that customers will regularly patch their ESX systems based on the priority and criticality of the patches and find ways to schedule these to fit their business needs. With VMotion and Update Manager, we really do think that customers have a lot of ways of addressing most of the pain associated with patching software products.
Senior Director, Security Product Management & Marketing