As far as I can understand you also need to patch the Guest OS :

VMSA-2018-0004

VMware Requirements

• Deploy the updated version of vCenter Server listed in the table (if vCenter Server is used).
• Deploy the ESXi patches and/or the new versions for Workstation or Fusion listed in the table.
• Ensure that your VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended. VMware Knowledge Base article 1010675 discusses Hardware Versions.

Third party Requirements

• Deploy the Guest OS patches for CVE-2017-5715. These patches are to be obtained from your OS vendor.
• Update the CPU microcode. Additional microcode is needed for your CPU to be able to expose the new MSRs that are used by the patched Guest OS. This microcode should be available from your hardware platform vendor.
  VMware is providing several versions of the required microcode from INTEL and AMD through ESXi patches listed in the table. See VMware Knowledge Base 52085 for more details.

"Hypervisor-Specific Mitigation

Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM. VMware’s hypervisor products are affected by the known examples of variant 1 and variant 2 vulnerabilities and do require the associated mitigations. Known examples of variant 3 do not affect VMware hypervisor products.

VMware hypervisors do not require the new speculative-execution control mechanism to achieve this class of mitigation and therefore these types of updates can be installed on any currently supported processor. No significant performance degradation is expected for VMware’s hypervisor-specific mitigations."

- VMware Knowledge Base - VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown) (52264)

but as wila said, you may want to read the full articles.

- Benedikt

And what about VM version of appliances such VCSA, PSC etc? My VCSA 6.0 U3d is VM version 8. It needs upgrade too? VMware requires - Ensure that your VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended....

Hi,

Yes that sounds very likely, but it is a good question.

I've asked lamw​ on twitter what his thoughts on this are.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Hi,

William answered as follows:

"Investigation of VAs are still underway, once complete analysis has been provided & along w/resolution, my understanding is vHW guidance will be provided. I’d hold off unless KB explicitly instructs you to update vHW"

William Lam on Twitter: "@wilva Investigation of VAs are still underway, once complete analysis has ...

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

amitpatel001 On HP servers you need to update using the HP ESXi ISO (to update HP-specific drivers as well) and then apply the vmware patch.

If you didn't use custom iso to install ESXi and don't have non-standard drivers to update, you only need to apply the vmware patch.

To apply the patch you need

1) go to https://esxi-patches.v-front.de/ and read the instructions on how to turn on ssh and login

2) choose your ESXi version at the top

3) click the imageprofile link of the latest patch there - a small popup window will open

4) paste the commands from there into the ssh

5) Reboot the server

6) If ESXi crashes use Ctrl-R during boot to rollback

You only need the latest patch, they are cumulative

Hi ITaaP,

Please see my answer to Masch73, it is currently not recommended to change the virtual hardware on any of VMware's appliances.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Hi ITaaP,

Most likely yes. Replacing the hardware is the only way forward in that case.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

No, not if you already patched your ESXi and VC.

Hi AtosMatt,

By what means do you mean "can it still access data" ?

If you mean via normal guest OS network sharing then I do not see why it would not be able to do so.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Would appear that HP BL460c Gen 7 servers do not have a BIOS update but apparently are not vulnerable according to HP.

Matrix  - HPE | Side Channel Analysis Method

Patched ESX 6 with Windows 2012 R2, Hotfix and registry keys enabled. Seems to hint I need a BIOS update but HP say I dont need one.

I mean can a non-patched Virtual Machine still potentially read the kernel memory of other Virtual Machines that have received the January Meltdown/Spectre patches?

AtosMatt​ as I told you: If you patch your VC and all ESXi you should be save, according to the known info.

Patching the OS is needed for mitigation inside the VM process to process.

We found that you could have everything patched and still not be all green with SpeculationControl.

Per this KB, the order of patching/microcode is important, as we seem to have encountered.

https://kb.vmware.com/s/article/52085

We patched hosts, then VC.  Still had absence of hardware support = true.

Reboot of the hosts (all in the cluster, as stated), and after a VM reboot, SpeculationControl was all green.