The vCenter Server Appliance (VCSA) has become the recommended deployment type starting with vSphere 6.5. The three main components of the VCSA – operating system, database, and application – now all fall under VMware’s umbrella. The VCSA now uses Photon OS which is a custom operating system built from the ground up for virtualization and removes the dependency on third party support. This not only provides one central place for support, but also allows for quicker releases of security patches.
VMware is now introducing a new Monthly Security Patch Program for the VCSA. The program will deliver important OS vulnerability patches on a monthly release cycle. VMware will monitor and fix any newly discovered OS vulnerabilities. As detailed in the VMware Security Response Policy, the response time to vulnerabilities depends on the severity. When there’s a Critical vulnerability, VMware will immediately start working on a fix or corrective action and provide it to customers in the shortest commercially reasonable amount of time. For Important through Low categorized vulnerabilities, VMware will deliver a fix with the next planned maintenance or update release of the product and where relevant. There’s no change to the existing policy. To better serve customers, we are adding this new Monthly Security Patch Program designed for VCSA.
The Monthly Patch will be cumulative and allow customers to have a choice of which patches to apply without having to apply all of them. If there’s no security patch content in a given month, we will skip the release of that month. If there’s an update or a scheduled patch, the monthly patch will be added to it. The monthly patches can be found on the My VMware patch portal (My VMware login required). Customers can sign up to receive security alerts on the VMware Security page and see a list of all VMware security advisories.
To learn more about VCSA patching and to provide feedback or ask questions, please see this article on the VMware Security Blog.