The vCenter Server Appliance (VCSA) has become the recommended deployment type starting with vSphere 6.5. The three main components of the VCSA – operating system, database, and application – now all fall under VMware’s umbrella. The VCSA now uses Photon OS which is a custom operating system built from the ground up for virtualization and removes the dependency on third party support. This not only provides one central place for support, but also allows for quicker releases of security patches.

VMware is now introducing a new Monthly Security Patch Program for the VCSA. The program will deliver important OS vulnerability patches on a monthly release cycle. VMware will monitor and fix any newly discovered OS vulnerabilities. As detailed in the VMware Security Response Policy, the response time to vulnerabilities depends on the severity. When there’s a Critical vulnerability, VMware will immediately start working on a fix or corrective action and provide it to customers in the shortest commercially reasonable amount of time. For Important through Low categorized vulnerabilities, VMware will deliver a fix with the next planned maintenance or update release of the product and where relevant. There’s no change to the existing policy. To better serve customers, we are adding this new Monthly Security Patch Program designed for VCSA.

The Monthly Patch will be cumulative and allow customers to have a choice of which patches to apply without having to apply all of them. If there’s no security patch content in a given month, we will skip the release of that month. If there’s an update or a scheduled patch, the monthly patch will be added to it. The monthly patches can be found on the My VMware patch portal (My VMware login required). Customers can sign up to receive security alerts on the VMware Security page and see a list of all VMware security advisories.

To learn more about VCSA patching and to provide feedback or ask questions, please see this article on the VMware Security Blog.

About the Author

Charu Chaubal is the Director of Technical Marketing for the Cloud Platform Business Unit at VMware, and runs the team that works on the vSphere product line. He has been at the company since 2006, and has been responsible for customer education and sales enablement for a wide range of datacenter technologies, such as hypervisor security, hyperconverged storage, and virtualization of data science applications. Previously, he worked at Sun Microsystems, where he had over 7 years experience with architecting distributed resource management and HPC infrastructure software solutions.