Patch and Update classification schemes for VMware ESX/ESXi 4.x, ESXi 5.x and, ESXi 6.0
search cancel

Patch and Update classification schemes for VMware ESX/ESXi 4.x, ESXi 5.x and, ESXi 6.0


Article ID: 344137


Updated On:


VMware vSphere ESXi


This article provides information on the old and new classification scheme for VMware ESX/ESXi.


VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0
VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded
VMware ESX 4.1.x


The Old Classification Scheme

This classification system applied to ESX 3.0.x, 3.5 and 4.x.

Security - The patches that belong to this category fix one or more potential security vulnerabilities in ESX. Immediately implement security patches to protect your system from these vulnerabilities.

Critical - The patches that belong to this category fix flaws in the product that can potentially cause data loss or severe service disruptions. Immediately implement critical patches.

General - The patches that belong to this category can include fixes for minor flaws, new driver updates, and non-intrusive enhancements. Evaluate general patches to determine if any resolved issues or enhancements benefit your system. Apply these patches as needed.

For more information on classifications, see Patch & Update Classifications for VMware ESX Server 3.0.x-3.5.x.

The New Category/Severity Scheme

Starting with ESXi 5.0, the classification scheme now contains a two-level Category and Severity scheme.

The Category contains these definitions:
  1. BugFix - The fix is for a normal product defect.
  2. Security - The fix is for security-related product issues.
  3. Enhancement - A new hardware enablement, a new driver update or a new product feature is added.
The Severity contains these definitions:
  1. For BugFix category

    Critical - A problem which may severely impact the customer's production systems (including the loss of production data). Such impacts could be system down or HA not functioning. A workaround is not in place.

    : Immediately implement the critical patch.

    Important - A problem may affect functionality, or cause a system to function in a severely reduced capacity. The situation causes significant impact to portions of the business operations and productivity. The system is exposed to potential loss or interruption of services.

    Recommendation: Immediately plan for a maintenance window for the patch.

    Moderate - A problem may affect partial non-critical functionality loss. This may be a minor issue with limited loss, no loss of functionality, or impact to the client's operations and issues in which there is an easy circumvention or avoidance by the end user. This includes documentation errors.

    Recommendation: Implement the patch in your next maintenance window.

    Low - A problem is considered low or no impact to a product's functionality or a client's operations. There is no impact on quality, performance, or functionality of the product.

    Recommendation: Implement the patch at your convenience.

  2. For security bugs

    Critical - Vulnerabilities that can be exploited by an unauthenticated attacker from the Internet, or those that break the guest/host Operating System isolation. The exploitation results in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between virtual machines and/or the Host Operating System.

    Important - Vulnerabilities that are not rated critical, but whose exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers. This rating also applies to those vulnerabilities, which could lead to the complete compromise of availability when exploitation is by a remote unauthenticated attacker from the Internet or through a breach of virtual machine isolation.

    Moderate - Vulnerabilities where the ability to exploit is mitigated to a significant degree by configuration or difficult of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data and/or processing resources.

    Low - All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.

  3. For Enhancement

    Changes in software related to enabling new hardware or enabling a feature. Only one severity value is used in representing the importance of this category.

    Important - A change to support hardware enablement (for example, a driver update), or a new feature for an important product capability.
For more information on severity schemes, see Classes of Vulnerabilities in VMware Products.

Mapping of old scheme and new scheme

The patch packaging changed for ESX/ESXi 4.1 patches after 7/28/2011. Therefore, users may see different Category and Severity values in the Patch Repository UI between 4.1 VUM and 5.0 VUM.

Note: 4.1 VUM shows the old 1-level classification, while 5.0 VUM and later shows the new two-level classification.

This table details the differences between the old and new scheme:
Old Scheme
New Scheme
Critical, Important
Critical, Important, Moderate, Low
Moderate, Low
Note: For any 4.x patch whose bulletin does not contain the value for the new scheme, VUM 5.0 attempts to map it automatically to default values.

VUM default mapping between old scheme and new scheme for old 4.1 patches

The following table shows the default mapping done by 5.0 VUM and later for those old 4.x bulletins. For more information, see Chapter 15 of Installing and Administering VMware vSphere Update Manager.
Old Scheme
New Scheme

Additional Information

VMware ESX/ESXi 4.x および ESXi 5.x のパッチおよびアップデートの分類スキーム
VMware ESX/ESXi 4.x 和 ESXi 5.x 的修补程序和更新分类架构