Update Manager 5.0 and later correlates the severity and category metadata in patches for different ESX/ESXi releases so that earlier patches without category information are included in dynamic baselines correctly.
Correspondence between severity and category information in vSphere 5.x and earlier releases
Category metadata in patches is first introduced in vSphere 5.0. Severity metadata in patches have different meanings in different vSphere releases.
|Severity value in vSphere 4.x and earlier||Severity value in vSphere 5.x||Category value in vSphere 5.x|
Category values in vSphere 5.x
Update Manager provides the following category values for patches and notifications.
- A patch containing one or more security vulnerabilities fix and other bug fixes.
- A patch containing one or more bug fixes.
- A patch containing hardware enablement enhancement.
- A bulletin specifying the need to recall a package.
- A bulletin to notify customers that a fix is available for the recalled VIBs.
- A bulletin containing generic notification about a wide range of issues.
- A bulletin containing updates for backward compatibility (for example, for updates without a category specified, or obsoleted categories.)
Severity values for specific categories in vSphere 5.x
The definitions of severity values differ based on the specific category.
|Category values in vSphere 5.x||Critical||Important||Moderate||Low|
|Security category||Vulnerabilities that can be exploited by an unauthenticated remote attacker or vulnerabilities that break guest or host operating system isolation. The exploitation results in the compromise of confidentiality, integrity, and availability of user data or processing resources without user interaction. Exploitation might be leveraged to propagate an Internet worm or execute arbitrary code between virtual machines and the host.||Vulnerabilities whose exploitation results in the compromise of confidentiality, integrity, or availability of user data and processing resources. Such flaws might allow local users to gain privileges, allow authenticated remote users to execute arbitrary code, or allow local or remote users to cause a denial of service.||Flaws where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios might still lead to some compromise of the confidentiality, integrity, or availability of user data and processing resources. These are the types of vulnerabilities that might have had a critical impact or important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.||All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.|
|BugFix category||The issues being fixed can potentially cause data loss or severe service disruptions.||The issues being fixed can cause certain type of devices, configuration, or component failure, such as a process failure.||The issues being fixed can cause inconsistency in operations or command failure.||The issues being fixed are considered to have low impact on product operations.|
|Recall, RecallFix, and Info categories||Update Manager creates an alert notification, which appears in the Notifications tab and triggers an alarm in the vSphere Client.||Update Manager creates a warning notification, which appears in the Notifications tab and triggers an alarm in the vSphere Client.||Update Manager creates an information notification, which appears in the Notifications tab.||Update Manager creates an information notification, which appears in the Notifications tab.|