VMware Cloud Community
VivekMi
Contributor
Contributor

CVE-2018-3646

Hi friends,

How to fix this issue .I applied VMware patches ( 6.0.0,9313334) i have this warning message on the host.

pastedImage_0.png

Tags (1)
Reply
0 Kudos
9 Replies
rajen450m
Hot Shot
Hot Shot

Hi Vivek,

CVE-2018-3636, patches are meant to remediate ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere.

So the remediation is in three phases:

  • Update Phase: Apply vSphere Updates and Patches
  • Planning Phase: Assess Your Environment
  • Scheduler-Enablement Phase: Enable the ESXi Side-Channel-Aware Scheduler

So, you have installed and completed the update phase, so now you need to move to next phases.

Assess your environment "where you need to check the impact of VMs with high CPU cores more than the logical process count" and next phase you enable the scheduler "where you will disable hyper-threading". Please add new hosts/capacity to cluster before disable hyper-threading to avoid resource management issues.

or you can simply suppress the warning, where the host is still vulnerable and not completely remediated.

Follow steps as per KB: L1TF Related KB Article by VMWare

Regards,

Raj M Please mark helpful or correct if my answer resolved your issue. Visit www.hypervmwarecloud.com for my blog posts, step-by-step procedures etc.,
Reply
0 Kudos
Dave_the_Wave
Hot Shot
Hot Shot

When I upgraded all my hosts with VMware-ESXi-6.0.0-Update3-9313334-HPE-preGen9-600.9.8.5.4-Sep2018.iso, I got the "esx.problem.hyperthreading.unmitigated" warning.

I fixed it with UserVars.SuppressHyperthreadWarning = 1

Don't get so caught on these vulnerabilities. Y2K didn't kill chicken little.

getty_182409390_142261.jpg

Reply
0 Kudos
Brookshealth
Contributor
Contributor

That was exactly what I was looking for, thanks.  Now I'll call VMware and make them set this on all of my hosts.  What a colossal waste of time....

Reply
0 Kudos
A13xxx
Enthusiast
Enthusiast

The patch is only part of it, if you want to avoid this warning either suppress it but to ensure you are protected you will need to disable hyper threading. If you do not disable hyper threading and just suppress the warning your dc will not pass the green health check because the vulnerability still exists.

Reply
0 Kudos
cheeweng
Contributor
Contributor

Hi,

Do we still need to turn on mitigation if hardware bios was patched?

Reply
0 Kudos
vGuy
Expert
Expert

Yes.

Reply
0 Kudos
Axis32
Contributor
Contributor

CVE-2018-3646 (VMM) can also be mitigated by disabling hyper-threading. If microcode, BIOS, OS, and virtualization software has been updated on both hosts and guests, it is not necessary to disable hyper-threading.

Reply
0 Kudos
PH4N70M
Contributor
Contributor

I was facing the same warning , till i find the solution in David Pasek's Profession Blog: ESXi : This host is potentially vulnerable to issues described in CVE...

Select an ESXi host in the inventory.

  1. Click the Manage tab.
  2. Under the System heading, click Advanced System Settings.
  3. Search for VMkernel.Boot.hyperthreadingMitigation set a value to  1

Then it solve the problem .

Reply
0 Kudos
Omidaskari
Contributor
Contributor

 

Critical Vulnerability: How to patch & secure CVE-2018-3646 on ESXi?

 

https://www.youtube.com/watch?v=oHq3hEkt8x0

Reply
0 Kudos