Customers using third-party vulnerability scanners such as Tenable or Qualys considering whether to perform authenticated or unauthenticated network scans for vulnerability assessment of VCF infrastructure Appliances.

VCF 9.x

Broadcom does not recommend enabling authenticated scanning for VCF Appliances as this requires weakening the security posture of those components by enabling SSH. 

SSH on VCF Appliances is a maintenance and support tool designed for temporary use only. It should only be enabled for specific, temporary break-glass scenarios or as-guided by Broadcom Support.

VCF Appliances have no customer-serviceable parts – they are delivered and maintained as a single software image, similar to network switch firmware. Modifying permissions or software within the appliance image, including as a side effect of enabling authenticated scanning activity, may impact system functionality, availability and supportability. 

Broadcom constantly analyzes VCF software for any vulnerabilities that may impact VCF. If Broadcom determines that there is a security issue that affects a supported Broadcom appliance, including the open source or proprietary software components or operating system contained within the appliance image, Broadcom will release an appliance update to address the issue. Do not install patches supplied by other vendors or open source developers.

VMware Virtual Appliances and Customization

VCF Security and Compliance Guidelines – Vulnerability Scanning FAQ