VMware Cloud Community
0wrath0
Contributor
Contributor
‎02-04-2020 09:25 AM

CVE-2018-3646 in ESXi 6.7.0 Update 3 (Build 15160138)

Hey there Smiley Happy

Im setting up my first private ESXi for testing purposes..

I have installed ESXi 6.7.0U3 (Build 15160138) with a custom ISO (Realtek driver)..

I'm now getting this message:

pastedImage_2.png

and I am honestly not sure what I have to do now.. I've read through the article but I have no clue how to update or if I even have to? (6.7.0U3 is pretty new compared to the CVE.. isn't this fix already integrated in this version?)

Would be happy about some help :smileylaugh:

0 Kudos
6 Replies
a_p_
Leadership
Leadership
‎02-04-2020 09:43 AM

Welcome to the Community,

the mentioned KB article (and the links in it) explain the possible risks, and impacts, so make sure you are aware of this.

However, for private use you may simply disable the warning (see the Resolution section in https://kb.vmware.com/s/article/57374​)

André

0 Kudos
0wrath0
Contributor
Contributor
‎02-04-2020 09:58 AM

Hey André!

Ty for this article.. I will be hosting some applications that will be available for a few friends that know my Domain.. So I would definetly give this patch a shot.

I have read this article and the others (the one mentioned in the info message) but I still don't know how to install them :smileyplain:

Is there a way of doing it with a command ? If so, what would the command be to install this/these patches?

Best Regards,

Lukas

0 Kudos
a_p_
Leadership
Leadership
‎02-04-2020 10:14 AM

It's an advanced setting rather than a patch, and you can find the instructions in sections 3b at https://kb.vmware.com/s/article/55806

André

0 Kudos
SMcT
Enthusiast
Enthusiast
‎02-04-2020 10:33 AM

a.p. has already directed you to the right place.  As you are doing this in your own lab, you can either enable one of the mitigations (SCAv1 or SCAv2) or suppress the warning.  Worth enabling one of the mitigations if you haven't done so before, after all, that is the purpose of a lab Smiley Happy

This is the summary from the article showing the mitigation options.

hyperthreadingMitigationhyperthreadingMitigationIntraVMScheduler Enabled
FALSETRUE or FALSEDefault scheduler (unmitigated)
TRUETRUESCAv1 (Most Secure)
TRUEFALSESCAv2 (Balanced Security/Performance
Blog: stephanmctighe.com Twitter: @vStephanMcTighe
0 Kudos
0wrath0
Contributor
Contributor
‎02-04-2020 10:47 AM

Okay.. so I don't have to download ESXi670-201808001 but only do this?

pastedImage_1.png

0 Kudos
a_p_
Leadership
Leadership
‎02-04-2020 10:55 AM

Okay.. so I don't have to download ESXi670-201808001 but only do this?

You've already installed the latest build, which includes all previous fixes. So all you need to do is to make the settings.


André

0 Kudos