Determining what VMware products in your datacenter have been patched for new or existing vulnerabilities can be tedious at times. What if your vSphere environment was able to do this for you without much effort? Well, look no further than vSphere Health. vSphere Health’s (vSphere Health will be renamed to Skyline Health in a future release) newest health checks are now not only looking out for your vSphere environment’s health but possible security-related vulnerabilities in vCenter Server and ESXi too.
VMware Security Advisories in vSphere Health
New to vSphere Health (vSphere 6.7U1 and higher) comes the ability to scan your vSphere environment for security vulnerabilities that are reported in VMware products and documented on the VMware Security Advisories [https://www.vmware.com/security/advisories.html] online listings page. Customers are now able to quickly see, via vSphere Health, if vCenter Server or ESXi have any applicable Security Advisories to be aware of.
In the past, a bit more effort was required to discover such advisories and vulnerabilities. It meant visiting the VMware Security Advisories page to find out what security vulnerabilities had been reported in VMware products and then cross-referencing them to the versions deployed in a customer datacenter. Next may have involved some research to find what patch level or update would resolve the discovered vulnerability.
Security Health Checks
Today this process has become quite easy by simply leveraging vSphere Health. Within the vSphere Client, and while selecting vCenter Server, we can view the Security Health Checks that relate to the installed versions of vCenter Server or ESXi and quickly see any detected Security Advisories. As shown in the demo below, important details are listed such as; Security Advisory (name/number of advisory), Health, CVSSv3 (Common Vulnerability Scoring System; v3.x standard), and Resolution Patch.
Each column contains important information:
- Security Advisory maps to the VMSA advisory number (ie; VMSA-2019-0013)
- Health is either yellow or green depending on whether the relevant patch is applied
- CVSSv3 stands for Common Vulnerability Scoring System version 3, which is a system for scoring the severity of software vulnerabilities
- Resolution Patch which displays the version of vCenter Server or ESXi that includes the VMSA security advisory
This simple table view enables customers to not only be alerted to a particular security advisory, but also be shown its name, severity, and solution to that advisory.
CVSS scores are a standard method for calculating the severity of a vulnerability and are built from several other metrics that help inform us about the risk associated with a vulnerability. These scores can be used to help prioritize remediation & patching efforts. The National Vulnerability Database (nvd.nist.gov) tracks these and provides the following chart for gauging how serious a vulnerability is:
A CVSS score is determined by the vendor who issues the patch for the vulnerability and does not necessarily reflect how serious an issue might be in your own environment. If you are someone who helps make the determination when to patch it is worth exploring more about how CVSS scores work, such as with the materials & training that FIRST provides (https://www.first.org/cvss/). We always encourage regular patching, as patching is the only way to remove a vulnerability from your systems. vSphere Health now makes that process easier by giving you the information you need to prioritize, justify, and communicate about this type of work.
To learn more about vSphere Health, vSphere Security, or VMware Security Advisories please visit the below resources.
- Introducing VMware Skyline Health for vSphere
- Understanding vSphere Health
- Check vSphere Health in vSphere Client
- vSphere & Intel JCC, TAA, and MCEPSC/IFU: What You Need to Know
- National Cybersecurity Awareness Month 2019