Patching and Updates Guidelines

All UC Berkeley IT Resources and all devices connected to the UC Berkeley network or cloud services must comply with the Minimum Security Standard for Networked Devices. The recommendations below are provided as optional guidance to assist with achieving the “Patching and Updates” Requirements.

MSSND Requirement

Campus networked devices must only run supported software and operating systems for which security patches are made available in a timely fashion. All currently available security patches must be applied on a schedule appropriate to the severity of the risk they mitigate. 

Where extended vendor support is available for software or operating systems deemed “end-of-life”, enrollment is required and an exception must be requested. 

Background and Description of Risk

Security vulnerabilities in software are constantly being discovered.  Exploitation of vulnerabilities in software can lead to:

  • Institutional data and personal data breaches
  • Data loss or modification
  • Compromised systems and use of those compromised systems to launch further attacks
  • Denial of Service (DoS) attacks, rendering services unavailable

Recommendations

Patching Schedule

Based on National Vulnerability Database (NVD) ratings, apply security patches using the following schedule as a guideline:

NVD Rating (CVSS 3.x)

Patch Schedule

Critical

Within 48 hours of publish

High

Within 7 days of publish

All other vulnerabilities

Within 30 days of publish

Other factors to consider that can accelerate or decelerate security patching schedule include:

  • Likelihood
    • Has working exploit code been published? 
    • Has exploitation already been publicly or privately observed?
  • Exposure
    • Are the vulnerable systems or services Internet-accessible?
    • Are the vulnerable systems or services open to the entire Campus network or specific, authorized hosts?
  • Context
    • How severe does the vendor rate the vulnerability? 
    • Is attack complexity high or low? 
    • What kind of impact is there? (e.g. confidentiality, integrity, and/or availability)
    • How difficult would it be to detect an ongoing attack exploiting the vulnerability? 
    • Is there Protected Data on the system?
  • Mitigation
    • Are there verified workarounds or temporary solutions that can quickly be implemented until full patching can occur?

Supported Operating Systems & Software

Devices on the campus network must run supported operating systems and software. “Supported” means:

  • The software is actively receiving security updates from the vendor. 
  • For Open Source, software must be actively maintained by developers and must release security updates for any reported vulnerabilities in a timely fashion.

If an operating system or software product is deemed End-of-Life by the vendor, the unsupported software must be upgraded to a supported release before the End-of-Life date.

When upgrading is not possible or must be significantly delayed, users may enroll in extended support from a vendor (if available) and submit an Information Security Policy Exception Request.

General Patching Guidance

Effective patch management requires a process to identify vulnerable software, evaluate available patches, test and deploy those patches, and confirm their successful installation. Most operating system (OS) vendors include a solution for patching, but such solutions typically cover only the OS itself. It is critical to supplement these solutions with application and other software patching.

1. Automate

Enterprise Patch Management Systems

  • IBM BigFix: Campus departmental IT partners can use the IBM BigFix endpoint management service to automate patching of institutional devices. Contact the Endpoint Operations & Services team for more information.
  • Microsoft Windows Server Update Service (WSUS): IST offers a Microsoft Windows Server Update Service at http://update.berkeley.edu. For users of the CalNet Active Directory service, Group Policy Objects (GPOs) may be used to configure the use of the IST-managed WSUS server. Use the GPO “Campus – WSUS” to configure updates to be automatically installed every day at 3:00am.
  • RedHat Linux - Campus Satellite Server: The IST Unix Team maintains a campus Satellite Server that offers access to RedHat updates. More information is available at https://wikihub.berkeley.edu/display/PIPUB/Red+Hat+Enterprise+Linux+Site+License.

Personal Devices and Self-managed Institutional Devices

Enable Automatic Updates for operating systems:

2. Plan & Prioritize

  • Understand that patching is an ongoing, recurring activity. 
  • Enterprise system owners should maintain a patch management plan and coordinate accordingly with both business and technical stakeholders. 
  • For critical vulnerabilities, be sure to prioritize the patching of Internet-facing systems when public services are vulnerable.

3. Monitor