Hi friends,
How to fix this issue .I applied VMware patches ( 6.0.0,9313334) i have this warning message on the host.
Hi Vivek,
CVE-2018-3636, patches are meant to remediate ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere.
So the remediation is in three phases:
So, you have installed and completed the update phase, so now you need to move to next phases.
Assess your environment "where you need to check the impact of VMs with high CPU cores more than the logical process count" and next phase you enable the scheduler "where you will disable hyper-threading". Please add new hosts/capacity to cluster before disable hyper-threading to avoid resource management issues.
or you can simply suppress the warning, where the host is still vulnerable and not completely remediated.
Follow steps as per KB: L1TF Related KB Article by VMWare
Regards,
When I upgraded all my hosts with VMware-ESXi-6.0.0-Update3-9313334-HPE-preGen9-600.9.8.5.4-Sep2018.iso, I got the "esx.problem.hyperthreading.unmitigated" warning.
I fixed it with UserVars.SuppressHyperthreadWarning = 1
Don't get so caught on these vulnerabilities. Y2K didn't kill chicken little.
That was exactly what I was looking for, thanks. Now I'll call VMware and make them set this on all of my hosts. What a colossal waste of time....
The patch is only part of it, if you want to avoid this warning either suppress it but to ensure you are protected you will need to disable hyper threading. If you do not disable hyper threading and just suppress the warning your dc will not pass the green health check because the vulnerability still exists.
Hi,
Do we still need to turn on mitigation if hardware bios was patched?
Yes.
CVE-2018-3646 (VMM) can also be mitigated by disabling hyper-threading. If microcode, BIOS, OS, and virtualization software has been updated on both hosts and guests, it is not necessary to disable hyper-threading.
I was facing the same warning , till i find the solution in David Pasek's Profession Blog: ESXi : This host is potentially vulnerable to issues described in CVE...
Select an ESXi host in the inventory.
Then it solve the problem .
Critical Vulnerability: How to patch & secure CVE-2018-3646 on ESXi?