VMware Cloud Community
tdubb123
Expert
Expert
Jump to solution

This host is potentially vulnerable to issues descibed in CVE-2018-3646

I pathed my host esxi 6.5 to 9298722

now getting this warning. I already updated vcenter to 9451637

any idea?

Screen Shot 2018-08-26 at 9.29.23 AM.png

Reply
0 Kudos
1 Solution

Accepted Solutions
a_p_
Leadership
Leadership
Jump to solution

It's on the right in the "Attachments" box (HTAwareMitigation-1.0.0.9.zip).

André

View solution in original post

Reply
0 Kudos
17 Replies
a_p_
Leadership
Leadership
Jump to solution

This is a warning regarding Intels L1 Terminal Fault (L1TF) vulnerability.

Please read the mentioned KB article as well as https://kb.vmware.com/s/article/56931​, which contains a script for "HTAware Mitigation Load Analysis Usage" as well as "HTAware Mitigation Remediation".

André

Reply
0 Kudos
SupreetK
Commander
Commander
Jump to solution

Same thing has been mentioned in the blog - Warning “esx.problem.hyperthreading.unmitigated” after installing ESXi patches. | Kalle's playground

For the fix, you have to refer the KB - VMware Knowledge Base

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

Reply
0 Kudos
tdubb123
Expert
Expert
Jump to solution

ok looks like I applied the patches in right order

1) vCenter patches

2) ESXi patches
3) Evaluate and setVMkernel.Boot.hyperthreadingMitigationto “true” if you want to enable the patch.

my problem is now with step 3.

if I dont do anything what will happen? how do I evaluate VMkernel.Boot.hyperthreadingMitigation

Reply
0 Kudos
SupreetK
Commander
Commander
Jump to solution

If you don't follow the mitigation plan detailed in the KB VMware Knowledge Base​, hosts will remain susceptible to the risk explained in the advisory CVE -CVE-2018-3646​.

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

Reply
0 Kudos
tdubb123
Expert
Expert
Jump to solution

i dont understand . then what was the patch update to 9298722 for?

I was vulnerable at 8935087

what dopes going to 9298722 gets me?

should i stay at 8935087 instead?

Reply
0 Kudos
vijayrana968
Virtuoso
Virtuoso
Jump to solution

ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547

ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563

ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896

You have applied this first patch which is for esx-base, and seems other two you haven't applied yet whereas CPU microcode is in 2nd patch Smiley Happy

Reply
0 Kudos
SupreetK
Commander
Commander
Jump to solution

Updating to this patch is step-1 of the mitigation plan. The other two steps are dependent on this one. Below are the three mitigation steps from the above shared KB VMware Knowledge Base -

Update Phase: Apply vSphere Updates and Patches

Planning Phase: Assess Your Environment

Scheduler-Enablement Phase: Enable the ESXi Side-Channel-Aware Scheduler

Host is susceptible to the L1TF (CVE -CVE-2018-3646) issue even on the build-8935087.

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

Reply
0 Kudos
tdubb123
Expert
Expert
Jump to solution

looksl ike I have all the patches

Screen Shot 2018-08-26 at 12.14.32 PM.png

Reply
0 Kudos
a_p_
Leadership
Leadership
Jump to solution

Did you see my previous reply?

André

Reply
0 Kudos
tdubb123
Expert
Expert
Jump to solution

yes. another question after patching host to latest build and enabling

ESXi Side-Channel-Aware Scheduler

will my hosts really take a 30% hit in performance?

Reply
0 Kudos
a_p_
Leadership
Leadership
Jump to solution

It actually depends on the current resource usage, that's why the KB article contains a script to analyze the current usage. Based on the results, you may consider what to do next.

André

Reply
0 Kudos
tdubb123
Expert
Expert
Jump to solution

can you tell me where this powershell script download link is?

VMware Knowledge Base

I am not seeing it

Reply
0 Kudos
a_p_
Leadership
Leadership
Jump to solution

It's on the right in the "Attachments" box (HTAwareMitigation-1.0.0.9.zip).

André

Reply
0 Kudos
tdubb123
Expert
Expert
Jump to solution

yes got it. Thanks Andre

Reply
0 Kudos
tdubb123
Expert
Expert
Jump to solution

Capture.PNG

Seeing this as report on one of my clusters

Reply
0 Kudos
ducdaibac
Enthusiast
Enthusiast
Jump to solution

someone let me ask HTAwareMitigation-1.0.0.16.zip, I can't download it from: https://kb.vmware.com/s/article/56931

Reply
0 Kudos
HPU-ADM
Enthusiast
Enthusiast
Jump to solution

I recently turned on the side channel aware scheduler to be "security compliant".  But the obvious change is that my total number of logical processors on the esxi host is cut IN HALF.

I don't know how this is an acceptable solution or a work around.  Basically, if you buy a server for esxi with an intel chip, turning on side channel aware scheduler disables hyperthreading. So that's where you lose half your logical processors.

Let me show you the math.

A 12 core intel cpu server with esxi installed would have 24 logical processors available for your vm's on that host.

INSTEAD, with side channel aware scheduler turned on the same example would mean you have 12 logical processors available on your host.

This directly affects your capacity, deployment, and obviously if you have a vm that uses more than the number of logical processors you get performance hit.

This directly affects shops that purchases intel cpu's with lower core counts.

All the sales people don't explain this part, all they do is generalize the problem and say it depends on your work load.

That's BS, you lose HALF of your LOGICAL PROCESSORS, how about that.