Has anyone applied the recent release patches for spectre, I wanted to make sure there are no issues before I apply them to my esxi hosts
Patches - release date 3/20/2018
EXXi550-201803401-BG https://kb.vmware.com/s/article/52449
EXXi550-201803402-BG https://kb.vmware.com/s/article/52450
This went fine I just updated using the update manager
-----------------------------------------
Was it helpful? Let us know by completing this short survey here.
Make sure the update process is followed as recommended, So that you would not face any issues on the host post upgrading.
Operating systems (OS), virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode must all be patched or upgraded for effective mitigation of these known variants.
Below mentioned are few KBs for your reference, Which are discussed in detail.
I put a patch on the host when the first issues one shortly after the issue was brought to light and then they recall it. I do not want be in that same situation where they release and recall the patch. So are you saying that you have applied these patches yourself and have seen no issues? That they have not be recalled?
By these patches i mean the ones I first mentioned, have you successfully applied these with no issues and there has not been any recall
EXXi550-201803401-BG https://kb.vmware.com/s/article/52449
EXXi550-201803402-BG https://kb.vmware.com/s/article/52450
VMware recalled the patched because Intel recalled the patch which they had released for Microcode.
They would be releasing the Microcode by the hardware vendor.
Since the Microcode was not available, VMware had to recall the patch.
This KB was only relevant for organizations that had deployed ESXi650-201801402-BG, ESXi600-201801402-BG, and/or ESXi550-201801401-BG which were pulled down on 01/12/18. VMware’s recommendation is to instead follow the procedure laid out in Hypervisor-Assisted Guest Mitigation for branch target injection. Note that ESXi650-201803401-BG, ESXi600-201803401-BG, and ESXi550-201803401-BG will remove the workaround line below from /etc/vmware/config when applied. Host profiles in ESXi 6.5 may re-introduce the workaround under certain circumstances, see KB52460 for more information. This KB article (52345) will remain published for historical purposes.
It has been updated by VMware if you refer to the above KB.
We have updated in our Lab Environment with the same process and we havent observed any issues till date.
Process Followed:
1. Upgrade vCenter
2. Apply ESXi patches
3. Apply the Microcode/BIOS updates
4. Updated firmware and Drivers.
5. Apply all security patches for your Guest OS
6. VMs are using Virtual Hardware Version 9 and above.
Back in January 2018 we deployed the following two patches
EXXi550-201801301-BG 1/22/2018
EXXi550-201801401-BG 1/9/2018
Is there a process to remove a patch if it causes issues?
If there is an issue, You could always revert to the previous build.
While the ESXI server is booting you would get the option to Press Shit + r to revert to a previous version of ESXi.
Thanks
As you can see from the list from January I did put the recalled patch on
EXXi550-201801401-BG 1/9/2018
and I am planning on putting both of the new releases on this week
EXXi550-201803401-BG https://kb.vmware.com/s/article/52449
EXXi550-201803402-BG https://kb.vmware.com/s/article/52450
You could implement the patches on the ESXi host, which you have mentioned.
ESXi550-201803401-BG
ESXi550-201803402-BG
Make sure that you follow the upgrade process as mentioned in the documents.
Below KB lists the Intel and AMD processors for which microcode updates were included in ESXi patches ESXi650-201803402-BG, ESXi600-201803402-BG, and ESXi550-201803402-BG:
Please contact your hardware vendor to determine if BIOS/firmware updates are recommended as there may be additional improvements included with those updates.
LOL yes I can implement them but the purpose of this thread was to find out if there are any down sides to applying them, and I will admit I don't think that question as has been answered
I havent seen any thing which has been creating issues on the ESXi hosts after applying these Patch.
ESXi550-201803401-BG
ESXi550-201803402-BG
Previous patch which was recovered had few issues, but with these patches, we have not observed issues on the host as of now.
My plan is to install the patches using the update manager where they showed up when I scanned for patches
Yes, VMware ESXi patches would be listed once you download the latest patches and scan on the host.
Yes that is exactly what i said they showed up in the update manager and I plan to install them from there, but the information you provided seemed to focus on the manual install not using the update manager
The Process that I have shared is for the components that needs to be upgraded before upgrading ESXi and components that needs to be upgraded post upgrading the vCenter.
You could use either the Update manager or manually download and use the command to patch the host. Which ever process you are comfortable.
Looks to me that the update manager is the most simple way to do it.
This went fine I just updated using the update manager
-----------------------------------------
Was it helpful? Let us know by completing this short survey here.
Using VUM, it took us up to ESXi 6.0.0, 7967664. No issues yet.
Yes we did early adopt the patches in January. So this one just overwrote those I guess.
Yeah we adopted the patches in January too and as far as I could tell they did not help or hurt. According to our crowstrike monitoring of our devices it does not appear as thought there is a fix for spectre yet.