The wordings in the KB article 96577 is ambiguous.
First of all, the KB article 96577 said that “VMware will provide fixes for CVE's based on upstream package availability for Photon OS 3.x.”, but since Photon OS 3.0 is reaching end-of-life by 1-Mar-2024, is it unlikely that there will be any “upstream package availability for Photon OS 3.0” after 1-Mar-2024? Is VMware actually implying in the above statement that after 1-Mar-2024 VMware will NOT (or may not be able to) provide CVE fixes for any new vulnerability of Photon OS 3.0 for vCenter Server customers still running Photon OS 3.0?
Secondly, the KB article 96577 said that “VMware will not release a newer Photon OS version on older releases of vCenter including 7.0 & 8.0.”, but did not say
a. whether VMware has already released or plans to release a newer Photon OS version on some newer releases of vCenter 7.0 and 8.0
b. whether VMware has already released or plans to release a newer Photon OS version on some newer patches/updates of vCenter 7.0 and 8.0
Moreover, the KB article 96577 also said that VMware advices the customers not to update the Photon OS on the VCSA server to version 4 or above by themselves. In short, VMware is not telling their customers currently running Photon OS 3.0 on their vCenter Server what to do with the end-of-life Photon OS 3.0, leaving them worrying about not able to get any fix with any new vulnerability of the Photon OS 3.0 they are running.
In fact, recently I had implemented the “VMware vCenter Server 7.0 Update 3p” (released on 7-Dec-2023) on my vCenter Server, and found that the Photon OS is still version 3.0 after the update. Will updating the vCenter Server version 7 to the latest version of vCenter Server 8 (VMware vCenter Server 8.0 Update 2a, released on 26-Oct-2023) automatically update the Photon OS to a version newer than 3.0? If not, what is the proper way to update the Photon OS 3.0 running on the vCenter Server to a newer (not end-of-life) version? Could VMware clarify that, please?
