The ESXi host must have all security patches and updates installed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258776 | ESXI-80-000221 | SV-258776r933389_rule | CCI-000366 | high |
| Description | ||||
| Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 ESXi Security Technical Implementation Guide | 2023-10-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-258776r933389_chk)
Determine the current version and build:
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Summary. Note the version string next to "Hypervisor:".
or
From a Secure Shell (SSH) session connected to the ESXi host, or from the ESXi shell, run the following command:
# vmware -v
If the ESXi host does not have the latest patches, this is a finding.
If the ESXi host is not on a supported release, this is a finding.
The latest ESXi versions and their build numbers can be found here: https://kb.vmware.com/s/article/2143832
VMware also publishes advisories on security patches and offers a way to subscribe to email alerts for them.
Go to: https://www.vmware.com/support/policies/security_response
Fix Text (F-62425r933388_fix)
ESXi can be patched in multiple ways, and this fix text does not cover all methods.
Manual patching when image profiles are not used:
- Download the latest "offline bundle" .zip update from vmware.com. Verify the hash.
- Transfer the file to a datastore accessible by the ESXi host, local or remote.
- Put the ESXi host into maintenance mode.
- From an ESXi shell, run the following command:
esxcli software vib update -d <path to offline patch bundle.zip>
Manual patching when image profiles are used:
From an ESXi shell, run the following command:
# esxcli software sources profile list -d /vmfs/volumes/<your datastore>/<bundle name.zip>
Note the available profiles. The organization will usually want the one ending in "-standard".
# esxcli software profile update -p <selected profile> -d /vmfs/volumes/<your datastore>/<bundle name.zip>
There will be little output during the update. Once complete, reboot the host for changes to take effect.