Certain security scanners such as Nessus check the version number but not the patch suffix as they search for security holes. As a result, these scanners can falsely report that software is down-level and does not include the most recent security patches even though it does. If this occurs, you can perform certain checks.

This problem is common to the industry and not specific to VMware. Some security scanners can handle this situation correctly, but they typically lag by a version or more. For example, the version of Nessus released after a Red Hat patch often does not report these false positives.

If a fix for a particular Linux-supported software package that VMware provides as a service console component becomes available—for example, a service, facility, or protocol—VMware provides a bulletin that contains a list of vSphere Installation Bundles (VIBs) that you use to update the software on ESX. Although these fixes might be available from other sources, always use bulletins that VMware generates instead of using third-party RPM Package Manager packages.

When providing patches for a software package, the VMware policy is to backport the fix to a version of the software known to be stable. This approach reduces the chance of introducing new problems and instability in the software. Because the patch is added to an existing version of the software, the version number of the software stays the same, but a patch number is added as a suffix.

The following is an example of how this problem occurs:

1

You initially install ESX with OpenSSL version 0.9.7a (where 0.9.7a is the original version with no patches).

2

OpenSSL releases a patch that fixes a security hole in version 0.9.7. This version is called 0.9.7x.

3

VMware backports the OpenSSL 0.9.7x fix to the original version, updates the patch number, and creates a VIB. The OpenSSL version in the VIB is 0.9.7a-1, indicating that the original version (0.9.7a) now contains patch 1.

4

You install the updates.

5

The security scanner fails to note the -1 suffix and erroneously reports that security for OpenSSL is not up to date.

If your scanner reports that security for a package is down-level, perform the following checks.

Look at the patch suffix to determine if you require an update.

Read the VMware VIB documentation for information on the patch contents.

Look for the Common Vulnerabilities and Exposures (CVE) number from the security alert in the software update change log.

If the CVE number is there, the specified package addresses that vulnerability.