CVE-2018-3636, patches are meant to remediate ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere.
So the remediation is in three phases:
- Update Phase: Apply vSphere Updates and Patches
- Planning Phase: Assess Your Environment
- Scheduler-Enablement Phase: Enable the ESXi Side-Channel-Aware Scheduler
So, you have installed and completed the update phase, so now you need to move to next phases.
Assess your environment "where you need to check the impact of VMs with high CPU cores more than the logical process count" and next phase you enable the scheduler "where you will disable hyper-threading". Please add new hosts/capacity to cluster before disable hyper-threading to avoid resource management issues.
or you can simply suppress the warning, where the host is still vulnerable and not completely remediated.
Follow steps as per KB: L1TF Related KB Article by VMWare
That was exactly what I was looking for, thanks. Now I'll call VMware and make them set this on all of my hosts. What a colossal waste of time....
The patch is only part of it, if you want to avoid this warning either suppress it but to ensure you are protected you will need to disable hyper threading. If you do not disable hyper threading and just suppress the warning your dc will not pass the green health check because the vulnerability still exists.
Do we still need to turn on mitigation if hardware bios was patched?
CVE-2018-3646 (VMM) can also be mitigated by disabling hyper-threading. If microcode, BIOS, OS, and virtualization software has been updated on both hosts and guests, it is not necessary to disable hyper-threading.
I was facing the same warning , till i find the solution in David Pasek's Profession Blog: ESXi : This host is potentially vulnerable to issues described in CVE-2018-3646
Select an ESXi host in the inventory.
- Click the Manage tab.
- Under the System heading, click Advanced System Settings.
- Search for VMkernel.Boot.hyperthreadingMitigation set a value to 1
Then it solve the problem .