Solved: vCenter PHOTON OS Vulnerabilities

DNguyen747 · ‎03-18-2021

Hello all,

When I stig our vCenter 6.7 U3l it show a lot of vulnerabilities with Photon OS. The current version of PHOTON is:

VMware Photon Linux 1.0
PHOTON_BUILD_NUMBER=62c543d

How can I upgrade the PHOTON to newer version or is that even support by VMware?

Thanks in advance

Ajay1988 · ‎03-19-2021

You cannot just upgrade the photosOS. That's not supported and will break too many things.

First upgrade to 6.7 U3m as many vulnerabilities were fixed. https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3m-release-notes.html

Run scanner again and report with VMware via SR if any

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

Ajay1988 · ‎03-19-2021

You cannot just upgrade the photosOS. That's not supported and will break too many things.

First upgrade to 6.7 U3m as many vulnerabilities were fixed. https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3m-release-notes.html

Run scanner again and report with VMware via SR if any

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

72ABW · ‎03-22-2021

Thank you for the reply,

I looked at the 6.7u3m and it sure did list the vulnerabilities fixes for the PHOTON OS. I'm downloading the patch and will let you know if they will get rid all my vulnerabilities.

DCasota · ‎03-22-2021

The open source Photon OS has nothing to do with the commercial version of products. It may be a strict explanation but it helps to understand the difference between a newer build of a rpm package to pre-hardened appliances. There is no support for 3rd party modifications on VCSA as mentioned in https://kb.vmware.com/s/article/80767.

The Photon OS major release reflects the Linux kernel version as it is tuned for performance when Photon OS runs on vSphere. 1.0 is pinned to Linux kernel 4.4, 2.0 to 4.9, 3.0 to 4.19 and 4.0 to 5.10. All the kernels are LTS, but with different EOL.

4.4 February 2022
4.9 January 2023
4.19 December 2024
5.10 December 2022

Comparing those dates with the general support period of a VCSA release clearly shows that we can expect patches for all kernel versions and optimized on vSphere.

The method of signaling patches available and periodically download package upgrades and apply them has had a journey. In 6.7 the time drift between already publicly published rpm package updates and available as VCSA security updates (here) made quite a few customers think that they must/can "increase security manually" by patching the underlying OS installation. For most customers the first version of signaling patches was an overkill. With VCSA 7.0 or higher the smart signaling in vSphere Client is a big plus.

Planning a vSphere upgrade includes aligning the necessary steps for VCSA without to care about VCSA inner components.

DNguyen747 · ‎03-22-2021

I download 6.7U3m and it sure did get rid all CVE-2020 high vulnerabilities and some medium vulnerabilities. There are some 2021 Medium vulnerabilities but i can live with that.

VCSA 7.0 looks like is a way to go but it is not authorized on our network yet so I have to wait.

Thanks for you guys input and help.