Score:0

Is it secure to still using an old version of VMWare ESXi for production after support ends?

es flag

I'm on a small sized business in which they own a HP ProLiant DL380 G7 Server for production. We would like to use a free license version of ESXi which is the version 6.7 U3 because we can't run modern versions on that server due to processors not been compatible.(X5650 x 2) The main problem here is that ESXi 6.7 support of security patches and updates will end in 2022, which makes me wonder if it would be risky to still use that version after the supports end. I know it's really important to use updated software and hardware but unfortunately this business can't afford a more updated server or a modern version of ESXi. Using an old version of ESXi could let hackers exploit some vulnerability of a virtual machine and access into the other ones ? Are there some business still using old versions of VMWare without trouble ? Our web application stores some user data, which should be protected. I was thinking of using Proxmox VE to solve this problem. Excuse me if this question looks a little bit silly, I'm new into this world of virtualization. Thank you for all your help.

Krackout avatar
it flag
Apparently it's not secure to keep an unsupported version of a software. Switching to Proxmox (or even completely free QEMU/KVM or Xen) on Linux is a great idea. You then can be sure than the server will be supported for many years. The drawback is importing the current VMs to a new platform, you are going to need more downtime than updating ESXi. Best way would be to have a 2nd server (could be a plain pc) to test the procedure. You can use .vmdk files on QEMU/KVM, which makes the transition easier.
Score:2
us flag

Short answer is no, it is not secure.

If you want to keep data private, you need to apply security updates regularly.

Otherwise you are risking that a serious vulnerability allows accessing your private data, which will have bad consequences for the business.

I suggest that you look into migrating your systems to cloud, where you don't need to worry about managing infrastructure and its security, you can only concentrate on your application's security.

Adrián avatar
es flag
Thank you for your response, so you think it's more better to migrate all those systems to the cloud instead ? What I did by now was installing ESXi 7.0.2 using a parameter called allowLegacyCPU to bypass the CPU check. The system is working properly, but what problems do you think I could get by doing this ? The VM's are running properly without errors and everything is detected by now. Thank you.
us flag
The security risks are smaller this way, since you keep the hypervisor up-to-date. However, the legacy CPU can have hardware security vulnerabilities and your hypervisor would not necessarily provide workarounds for those. Also, a future upgrade might break things since VMWare isn't doing full QA with legacy CPUs.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.