The ESXi host must have all security patches and updates installed.

An XCCDF Rule

Description

<VulnDiscussion>Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258776r933389_rule
Severity: High
References: CCI-000366
Updated: 8 months ago

ESXi can be patched in multiple ways, and this fix text does not cover all methods.

Manual patching when image profiles are not used:

- Download the latest "offline bundle" .zip update from vmware.com. Verify the hash.
- Transfer the file to a datastore accessible by the ESXi host, local or remote.

- Put the ESXi host into maintenance mode.

- From an ESXi shell, run the following command:

esxcli software vib update -d <path to offline patch bundle.zip>

Manual patching when image profiles are used:

From an ESXi shell, run the following command:

# esxcli software sources profile list -d /vmfs/volumes/<your datastore>/<bundle name.zip>

Note the available profiles. The organization will usually want the one ending in "-standard".

# esxcli software profile update -p <selected profile> -d /vmfs/volumes/<your datastore>/<bundle name.zip>

There will be little output during the update. Once complete, reboot the host for changes to take effect.

The ESXi host must have all security patches and updates installed.

Description

Remediation - Manual Procedure