adxxx
Contributor
Contributor

Is there a patch for CVE 2018-3646 yet?

So from what I can tell, there's really not much solid information available out there for this, and I am pretty confused. I'd love if anyone could give me a solid suggestion as to what I can do to mitigate this vulnerability, because otherwise I'll have to sell off this server. Thanks!

0 Kudos
1 Reply
jburen
Expert
Expert

Did you search for this CVE? Because VMware has a pretty extensive article about this: https://kb.vmware.com/s/article/55806.

Mitigation of the Sequential-Context attack vector is achieved by vSphere updates and patches. This mitigation is enabled by default and does not impose a significant performance impact.
Mitigation of the Concurrent-context attack vector requires the enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default.

The mitigation process for CVE-2018-3646 is divided into three phases:

  1. Update Phase: Apply vSphere Updates and Patches
  2. Planning Phase: Assess Your Environment
  3. Scheduler-Enablement Phase

Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using the vSphere Web Client or vSphere Client (only for ESXi 6.7u2 (13006603) and later)

  1. Connect to the vCenter Server using either the vSphere Web or vSphere Client.
  2. Select an ESXi host in the inventory.
  3. Click the Configure tab.
  4. Under the System heading, click Advanced System Settings.
  5. Click Edit
  6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation
  7. Select the setting by name
  8. Change the configuration option to true (default: false).
  9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM
  10. Change the configuration option to false (default: true).
  11. Click OK.
  12. Reboot the ESXi host for the configuration change to go into effect.

 

Consider giving Kudos if you think my response helped you in any way.