Security Announcement: What Are You Waiting For?
VMSA-2020-0006 & CVE-2020-3952
Yes you read it correctly. There is a known vulnerability which may affect your vCenter Server running version 6.7 regardless is it on virtual appliance (vApp) or Windows. It affect new deployment as well as upgraded version from 6.x to 6.7.
Here is the article to read more about it.
Often to hear from some to wait for a while before patching. I like to bring out a point that software patches and security patches are two different subject.
Security patches
This affect an immediate vulnerability been address, it should be action on to avoid breaches and compromise. This is utmost important unless your organization does not deem security loophole been important to be addressed or your organization is claimed to be highly secured.
Software patches
This type of patches is to address bug fixes and some times to upgrade from and update or it can also be release of some features which was delayed, etc. Often, this may not impact many customers as some bugs or fixes affect only those who utilized it. Not everyone use 100% of every software features that is. Some like to wait to see what the community experience before applying. This is purely acceptable as you do not want to be affected by apply a patch that might affect your stable system.
So from the above you can see the differences between the two patches. However, we still see people who like to use the Software patches mentality to address Security patches.
Been utmost important, Security patches are typically to be applied as soon as it is released. The only reason I can think for someone who uses the Software patch mentality because it will affect your perfectly working system. But why would you worry about that unless:
- You did not plan for availability for your system
- You did not plan for redundancy for your system
- You do not trust your backup restore strategy
If the above is not true, you would have just go ahead and patch your system. Every minute wasted means more time for compromise. That is why, security patches are release as and when they are discovered unlike bug discovery to software patches release.
To design a system, you must prepare for the worse case scenario. If you cannot, then either it is your requirement or there is a flaw in the design. Relook into your design.
Comments