VMware Networking Community
derrellb
Contributor
Contributor
‎11-27-2018 07:41 AM
Jump to solution

ESX.Problem.Hyperthreading.Unmitigated

Good Morning everyone,

I have a small environment in our engineering rack and I added 3 additional hosts into the mix.  When I added them into the clusters where my prepared hosts are, the new hosts did not take the VIB's.  I was finally able to force sync the hosts and they were able to get their VTEP's.

When I did those, I then got the following alarm: ESX.Problem.Hyperthreading.Unmitigated

all 6 of the servers are M4's.  But when I go to the Advanced system settings, only the 3 new servers have this as an option to set to true or false (Currently set to false).  The original 3 dont even have that as an advanced setting.  They all six have VMKernal.Hyperthreading and are set to "TRUE"

I am not sure if forcing the sync caused this or what.  I found the KB about this but it talks about this happening when doing an upgrade.  I didn't do an upgrade.

It says that it is a setting to mitigate a CVE security issue.

Any thoughts?

Thanks,

Derrell

Reply
1 Solution

Accepted Solutions
sk84
Expert
Expert
‎11-27-2018 11:18 AM
Jump to solution

Do the 3 ESXi hosts where this message appears have a different build number than the other 3 hosts?

This message indicates that your ESXi hosts are vulnerable to a serious vulnerability that can bypass VM isolation (see VMSA-2018-0020 ). Because it is so critical, a warning or alert is displayed.

This message were introduced in the ESXi650-201808001 and ESXi670-201808001 patches. This corresponds to build 9298722 for vSphere 6.5 and build 9484548 for vSphere 6.7.

Here you can compare the build numbers and releases: VMware Knowledge Base

To mitigate this vulnerability you have to deactivate HyperThreading via a new advanced setting (VMkernel.Boot.hyperthreadingMitigation). But since this results in CPU performance losses, VMware has provided a workflow with 3 phases and an analysis tool. See here for more information: VMware Knowledge Base

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

View solution in original post

Reply
3 Replies
sk84
Expert
Expert
‎11-27-2018 11:18 AM
Jump to solution

Do the 3 ESXi hosts where this message appears have a different build number than the other 3 hosts?

This message indicates that your ESXi hosts are vulnerable to a serious vulnerability that can bypass VM isolation (see VMSA-2018-0020 ). Because it is so critical, a warning or alert is displayed.

This message were introduced in the ESXi650-201808001 and ESXi670-201808001 patches. This corresponds to build 9298722 for vSphere 6.5 and build 9484548 for vSphere 6.7.

Here you can compare the build numbers and releases: VMware Knowledge Base

To mitigate this vulnerability you have to deactivate HyperThreading via a new advanced setting (VMkernel.Boot.hyperthreadingMitigation). But since this results in CPU performance losses, VMware has provided a workflow with 3 phases and an analysis tool. See here for more information: VMware Knowledge Base

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
derrellb
Contributor
Contributor
‎11-27-2018 12:49 PM
Jump to solution

Yes that was the exact issue.  I realized that a couple hours ago.  The newer build has the security fix added to the advanced settings.  It is default to "False" and you decide wither you want to make it "True" or not.

The other 3 are the version prior which doesn't have this vulnerability patched.

Cheers!

Reply
0 Kudos
jeff_prince
Contributor
Contributor
‎08-27-2019 01:54 PM
Jump to solution

If you want to just suppress the warning and accept the risk of leaving hyperthreading enabled you can follow these instructions.

https://notesfrommwhite.net/2018/09/30/hide-esx-problem-hyperthreading-unmitigated-message/

Reply
0 Kudos