Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. On October 15th, VMware ESXi 6.5 and 6.7 reached end-of-life, meaning that VMware will no longer provide security or software updates to those who do not have an extended support contract. The extended support is limited to one annual security patch, which only includes catastrophic/critical security fixes.

What’s the risk to me or my business?

VMware is the biggest player within the hosted virtualisation platform market. It is highly likely that services purchased through third party suppliers, excluding AWS and Azure, will be using VMware under the hood. So far this year VMware products have been targeted by different ransomware groups, with various exploits being made public which affect this software. It is very important that security updates are still being provided for this critical infrastructure to help to mitigate and address these growing threats.

What can I do?

Ensure that if VMware ESXi is being used either internally or externally through a service provider, that the version is one which is currently supported by VMware, which are versions 7 and above. It is important to note that VMware often drops support for older hardware with newer versions of it’s vSphere ESXi software, meaning that an upgrade to supported hardware may also be required.

Further technical information on supported versions of VMware ESXi can be found here: Product Lifecycle Matrix (vmware.com), with details on the extended support package listed here: VMware Extended Support Datasheet

Need help understanding your gaps, or just want some advice? Get in touch with us.