Solved: Re: VMSA-2018-0012.1 Issues - VMware Patches seems...

KTUCLA · ‎07-13-2018

Hi everybody,

We have a cluster running 10 HPE Proliant DL380 G9 und VCenter 6.5. Vcenter Appliance is running the latest Version from VMware and also the ESXi Hosts are up to date running Version VMware ESXi, 6.5.0, 8935087.

Cluster is running in EVC Mode in Intel® "Haswell" Generation because 5 of our hosts are running with Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz and the other five are running with Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz.

All of these hosts have applied latest Bios und Microcode Update from HPE (Version 2.60). According to HPE this should fix CVE-2018-3639.

According to VMware Knowledge Base we should find “Capability Found: cpuid.SSBD” in vmware.log of guest VMs after powering down and restarting them. But we don't have this. So it looks like the patch is not correctly applied to all servers in the cluster or something else is missing.

On a Windows Guest VM running Get-SpeculationControlSettings results in:

Speculation control settings for CVE-2017-5715 [branch target injection]

For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: True

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: False

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True

Hardware support for speculative store bypass mitigation is present: False

Windows OS support for speculative store bypass mitigation is present: True

Windows OS support for speculative store bypass mitigation is enabled system-wide: False

Suggested actions

* Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://supp

ort.microsoft.com/help/4072698

BTIHardwarePresent : True

BTIWindowsSupportPresent : True

BTIWindowsSupportEnabled : False

BTIDisabledBySystemPolicy : True

BTIDisabledByNoHardwareSupport : False

KVAShadowRequired : True

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : False

KVAShadowPcidEnabled : False

SSBDWindowsSupportPresent : True

SSBDHardwareVulnerable : True

SSBDHardwarePresent : False

SSBDWindowsSupportEnabledSystemWide : False

Another HPE Proliant DL380 Proliant G9 running Windows native without VMware and with HPE Bios Version 2.60 brings the following result when running Get-SpeculationControlSettings:

Speculation control settings for CVE-2017-5715 [branch target injection]

For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: True

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: False

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True

Hardware support for speculative store bypass mitigation is present: True

Windows OS support for speculative store bypass mitigation is present: True

Windows OS support for speculative store bypass mitigation is enabled system-wide: False

Suggested actions

* Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://supp

ort.microsoft.com/help/4072698

BTIHardwarePresent : True

BTIWindowsSupportPresent : True

BTIWindowsSupportEnabled : False

BTIDisabledBySystemPolicy : True

BTIDisabledByNoHardwareSupport : False

KVAShadowRequired : True

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : False

KVAShadowPcidEnabled : False

SSBDWindowsSupportPresent : True

SSBDHardwareVulnerable : True

SSBDHardwarePresent : True

SSBDWindowsSupportEnabledSystemWide : False

So according to this one. The HPE Bios have the problem fixed but only VMware have something missing.

does somebody have such issues? what can we do to get this fixed?

Thank you for help,

a_p_ · ‎07-13-2018

It looks like thee new CPU features are not presented to the VMs.

What you may try - unless already done - is to re-apply the EVC mode in the cluster settings, i.e. open the EVC settings and click Ok.

Then power-cycle one of the VM's to see whether this did the trick.

André

View solution in original post

a_p_ · ‎07-13-2018

It looks like thee new CPU features are not presented to the VMs.

What you may try - unless already done - is to re-apply the EVC mode in the cluster settings, i.e. open the EVC settings and click Ok.

Then power-cycle one of the VM's to see whether this did the trick.

André

KTUCLA · ‎07-13-2018

Thank you Andre. I already applied the EVC Settings but this did not work. No I tried to remove EVC Mode from Cluster and then reapply EVC Mode again. After that VMs get the required CPU features when they powered on again.

hochstic · ‎08-03-2018

Same Issue here with Dell R730 / R740 :smileyangry:

All

VMSA-2018-0012.1 Issues - VMware Patches seems not working