Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Patch and Update classification schemes for VMware ESX/ESXi 4.x and ESXi 5.x (2014447)

Purpose

This article provides information on the old and new classification scheme for VMware ESX/ESXi.

Resolution

The Old Classification Scheme

This classification system applied to ESX 3.0.x, 3.5 and 4.x.
 
Security - The patches that belong to this category fix one or more potential security vulnerabilities in ESX. Immediately implement security patches to protect your system from these vulnerabilities.
 
Critical - The patches that belong to this category fix flaws in the product that can potentially cause data loss or severe service disruptions. Immediately implement critical patches.
 
General - The patches that belong to this category can include fixes for minor flaws, new driver updates, and non-intrusive enhancements. Evaluate general patches to determine if any resolved issues or enhancements benefit your system. Apply these patches as needed.
 
For more information on classifications, see https://www.vmware.com/download/classifications.html.
 

The New Category/Severity Scheme

Starting with ESXi 5.0, the classification scheme now contains a two-level Category and Severity scheme.
 
The Category contains these definitions:
  1. BugFix - The fix is for a normal product defect.
  2. Security - The fix is for security-related product issues.
  3. Enhancement - A new hardware enablement, a new driver update or a new product feature is added.
The Severity contains these definitions:
  1. For BugFix category

    Critical - A problem which  may severely impact the customer's production systems (including the loss of production data). Such impacts could be system down or HA not functioning. A workaround is not in place.

    Recommendation
    : Immediately implement the critical patch. 

    Important - A problem may affect functionality, or cause a system to function in a severely reduced capacity. The situation causes significant impact to portions of the business operations and productivity. The system is exposed to potential loss or interruption of services.

    Recommendation: Immediately plan for a maintenance window for the patch.

    Moderate - A problem may affect partial non-critical functionality loss. This may be a  minor issue with limited loss, no loss of functionality, or impact to the client's operations and issues in which there is an easy circumvention or avoidance by the end user. This includes documentation errors.

    Recommendation: Implement the patch in your next maintenance window.

    Low - A problem is considered low or no impact to a product's functionality or a client's operations. There is no impact on quality, performance, or functionality of the product.

    Recommendation: Implement the patch at your convenience.

  2. For security bugs

    Critical - Vulnerabilities that can be exploited by an unauthenticated attacker from the Internet, or those that break the guest/host Operating System isolation. The exploitation results in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between virtual machines and/or the Host Operating System.

    Important - Vulnerabilities that are not rated critical, but whose exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers. This rating also applies to those vulnerabilities which could lead to the complete compromise of availability when exploitation is by a remote unauthenticated attacker from the Internet or through a breach of virtual machine isolation. 

    Moderate - Vulnerabilities where the ability to exploit is mitigated to a significant degree by configuration or difficult of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data and/or processing resources. 

    Low - All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.

     
  3. For Enhancement

    Changes in software related to enabling new hardware or enabling a feature. Only one severity value is used in representing the importance of this category.

    Important - A change to support hardware enablement (for example, a driver update), or a new feature for an important product capability.
 
For more information on severity schemes, see Classes of Vulnerabilities in VMware Products.

 

Mapping of old scheme and new scheme

The patch packaging changed for ESX/ESXi 4.1 patches after 7/28/2011. Therefore, users may see different Category and Severity values in the Patch Repository UI between 4.1 VUM and 5.0 VUM.

Note: 4.1 VUM shows the old 1-level classification, while 5.0 VUM shows the new two-level classification.

This table details the differences between the old and new scheme:
 
 
Old Scheme
New Scheme
 
 
 
Classification
Category
Severity
Critical
BugFix
Critical, Important
Security
Security
Critical, Important, Moderate, Low
General
BugFix
Moderate, Low
General
Enhancement
Important
 
Note: For any 4.x patch whose bulletin does not contain the value for the new scheme, VUM 5.0 attempts to map it automatically to default values.
 

VUM default mapping between old scheme and new scheme for old 4.1 patches

The following table shows the default mapping done by 5.0 VUM for those old 4.x bulletins. For more information, see Chapter 15 of Installing and Administering VMware vSphere Update Manager.
 
Old Scheme
New Scheme
 
 
 
Classification
Category
Severity
Critical
Other
Critical
Security
Security
Critical
General
Other
Moderate
 
 
 

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 7 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 7 Ratings
Actions
KB: