The IAO/SA does not subscribe to vendor security patches and update notifications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15845	ESX0460	SV-16786r1_rule	ECSC-1	Low

Description
Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New ESX Server patches and updates should be reviewed in a test environment for the ESX Server before moving them into a production environment.

Description

Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New ESX Server patches and updates should be reviewed in a test environment for the ESX Server before moving them into a production environment.

STIG	Date
VMware ESX 3 Policy	2016-05-03

Details

Check Text ( C-16193r1_chk )
Ask the IAO/SA to provide actual update notification to verify that they are on the subscription list. The email subscription for VMware is security-announce@lists.vmware.com. If no emails or documentation can be provided, this is a finding.

Fix Text (F-15799r1_fix)
Subscribe to vendor security and patch notifications.