The connectivity between Update Manager and public patch repositories must be limited.
In a typical deployment, Update Manager connects to public patch repositories on the Internet to download patches. This connection should be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat.
Check the following conditions: The Update Manager must be configured to use the Download Service. The use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server) must be enforced with site policies. The vSphere Update Manager server does not obtain patches directly from the Internet.
If all of the above conditions are not met, this is a finding.
Fix Text (F-VCENTER-000009_fix)
Configure the vSphere Update Manager Server to use a physically separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the vSphere Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the vSphere Update Manager Server application from the Internet.