Update Manager 5.0 and later correlates the severity and category metadata in patches for different ESX/ESXi releases so that earlier patches without category information are included in dynamic baselines correctly.

Correspondence between severity and category information in vSphere 5.x and earlier releases

Category metadata in patches is first introduced in vSphere 5.0. Severity metadata in patches have different meanings in different vSphere releases.

Table 1. Correspondence between Severity and Category Information in vSphere 5.x and earlier releases

Severity value in vSphere 4.x and earlier

Severity value in vSphere 5.x

Category value in vSphere 5.x

Critical

Critical

Other

Security

Critical

Security

General

Moderate

Other

Everything else

Low

Other

Category values in vSphere 5.x

Update Manager provides the following category values for patches and notifications.

Security

A patch containing one or more security vulnerabilities fix and other bug fixes.

BugFix

A patch containing one or more bug fixes.

Enhancement

A patch containing hardware enablement enhancement.

Recall

A bulletin specifying the need to recall a package.

RecallFix

A bulletin to notify customers that a fix is available for the recalled VIBs.

Info

A bulletin containing generic notification about a wide range of issues.

Other

A bulletin containing updates for backward compatibility (for example, for updates without a category specified, or obsoleted categories.)

Severity values for specific categories in vSphere 5.x

The definitions of severity values differ based on the specific category.

Table 2. Description of severity values for specific categories

Category values in vSphere 5.x

Critical

Important

Moderate

Low

Security category

Vulnerabilities that can be exploited by an unauthenticated remote attacker or vulnerabilities that break guest or host operating system isolation. The exploitation results in the compromise of confidentiality, integrity, and availability of user data or processing resources without user interaction. Exploitation might be leveraged to propagate an Internet worm or execute arbitrary code between virtual machines and the host.

Vulnerabilities whose exploitation results in the compromise of confidentiality, integrity, or availability of user data and processing resources. Such flaws might allow local users to gain privileges, allow authenticated remote users to execute arbitrary code, or allow local or remote users to cause a denial of service.

Flaws where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios might still lead to some compromise of the confidentiality, integrity, or availability of user data and processing resources. These are the types of vulnerabilities that might have had a critical impact or important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.

All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.

BugFix category

The issues being fixed can potentially cause data loss or severe service disruptions.

The issues being fixed can cause certain type of devices, configuration, or component failure, such as a process failure.

The issues being fixed can cause inconsistency in operations or command failure.

The issues being fixed are considered to have low impact on product operations.

Recall, RecallFix, and Info categories

Update Manager creates an alert notification, which appears in the Notifications tab and triggers an alarm in the vSphere Client.

Update Manager creates a warning notification, which appears in the Notifications tab and triggers an alarm in the vSphere Client.

Update Manager creates an information notification, which appears in the Notifications tab.

Update Manager creates an information notification, which appears in the Notifications tab.