Some virtualisation admins are slow to update VMware’s patches because they are afraid their app functions won’t work, however patches fix vulnerabilities and are a risk that must be taken.
Despite potential threats to a virtual infrastructure, fewer admins install patches immediately, citing such reasons as -- all application functions may not perform well after the upgrade or that if the upgrade doesn’t work, they will have to restore data from the backup which will take all day.
“With VMware, you always have to be slightly more nervous about applying patches as you can potentially affect all the VMs running inside the ESXi host,” said Craig Kilborn, technical consultant at Mirus IT Solutions Ltd., based in Northampton, UK.
However, one expert said to be effective, vendor-issued fixes must be applied immediately.
“I’m not convinced this is happening universally. A good administrator will have it as a routine part of their operations to ensure that they have the latest fixes and patches installed,” said Alan Woodward, professor in the department of computing at the University of Surrey in Guildford.
Woodward also felt that the increased use of virtualisation has led to a false sense of security.
“Whilst the virtual platforms can provide added security benefits, they can also introduce further attack vectors,” he added.
That’s why, hypervisors should always be a part of any security review and admins must keep up-to-date with the security notices, Woodward said.
The advice comes after VMware Inc. released security patches to plug critical flaws in its virtualisation tools ESX, ESXi, Fusion, Workstation and Player. The identified security threats could allow attackers to compromise the host system or crash a virtual machine (VM).
VMware patches fix security flaws
The vulnerabilities affect all versions of ESXi and ESX, VMware Workstation 8.0.4 and later versions, VMware Player 4.0.4 and later versions, as well as Fusion 4 (excluding its Mac version).
The critical security threats -- Common Vulnerabilities and Exposures (CVE) -- are identified as CVE-2012-3288, CVE-2012-3289.
CVE-2012-3288 occurs when the input data is not properly validated when loading checkpoint files. This allows an attacker to load a specially crafted checkpoint file to execute arbitrary code on the host, the vendor said in its security advisory. It warned users not to import VMs from untrusted sources.
The second vulnerability occurs when a device (such as CD ROM, keyboard) that is available to a VM while physically connected to a system is referred to as a remote device.
One way admins can mitigate this is by using administrative privileges on the VM to attach remote devices. “Do not attach untrusted remote devices to a virtual machine,” the vendor warned.
Tips for applying a patch update
To overcome concerns while installing updates, Kilborn offered some tips:
- Always have a backup of the ESXi host before applying the updates via VMware Update Manager;
- If you have a Disaster Recovery site, apply the updates to DR first before applying to your production site;
- Apply the updates to one ESXi host first and wait 24 hours before rolling out to the rest.
Admins can patch an ESX host without any down time on the VMs that are hosting a production workload with tools such as VMware Update Manager and features such as Storage vMotion, said Mike Laverick, virtualisation expert.
VMware’s latest round of security patches are partially a response to its recent code leak, but mainly to deal with a blend of issues, Laverick said.
Experts also want vendors to make fixes easy and document them.
“IT pros want patches to be effective and easy to install, so they can undertake change management and testing rapidly,” said Tony Lock, programme director at Freeform Dynamics Ltd., an IT research and analysis company, based in New Milton, UK.
Security patches and updates are important as they fix issues and offer performance efficiencies, said Kilborn.
For a list of all security patches VMware provides for ESX/ESXi 3.5 and later versions, admins must check out its Knowledge Base article 2020972. The instructions on how to install the patches are also available.