VMware Cloud Community
andvm
Hot Shot
Hot Shot
‎08-18-2019 01:29 PM

VUM Critical Security updates - vendor ESXi image

Hi,

Whilst using vendor custom ESXi image such as DELL/HP you still get the latest recommendations after you scan the host for critical security patches via VUM.

Is this the correct way to re-mediate hosts or should these updates be downloaded via the specific vendor directly and upload into VUM? (Just making sure these do not conflict in any way with the vendor image as not sure on which images these are tested on)

So guess the main question would be, are the security patches applicable to all ESXi hosts at the specific version, irrespective from which image was used for the install?

Thanks

Tags (1)
0 Kudos
4 Replies
Alex_Romeo
Leadership
Leadership
‎08-18-2019 01:47 PM

Hi,

If you use a custom image (Dell, Hp, etc...) you should configure VUM to download customized updates, and follow those. If a Security Update comes out, before applying it, always check that the supplier of the custom image has released the release.

Best regards,

Alessandro Romeo

Blog: https://www.aleadmin.it/
0 Kudos
andvm
Hot Shot
Hot Shot
‎08-18-2019 01:58 PM

When you scan the host via VUM, wouldn't VUM check which ESXi image is running and display the correct applicable missing updates/patches?

0 Kudos
Alex_Romeo
Leadership
Leadership
‎08-18-2019 02:17 PM

Obviously it doesn't check, but you have to follow the personalized image. If there is an update that does not belong to the supplier, you must not do it unless a note is issued directly by the supplier (check on the supplier website). It happens that if you apply a non-customized update on a custom installation, you lose the customizations made by the supplier. This also happens with drivers.

Blog: https://www.aleadmin.it/
0 Kudos
andvm
Hot Shot
Hot Shot
‎08-18-2019 10:41 PM

"Obviously it doesn't check"

I believe at no point does VUM warn you that the critical security patches are not applicable to vendor custom ESXi images.

If this is really an issue a warning should be generated as right now, you can apply critical security baseline, scan and re-mediate applicable patches via VUM irrespective.

0 Kudos