VMware Cloud Community
matthewmagbee
Contributor
Contributor

spectre and meltdown patch verification...

Just as a verification question ... I need to Patch esxi AND the guest OS's correct?  I am seeing all this nonsense about the esxi patch keeping the guests protected. I don't see that working- I just want to make sure that claim is false. I mean- that would be great if I could just patch my hosts instead of the thousands of systems. but -- you know.

Reply
0 Kudos
12 Replies
daphnissov
Immortal
Immortal

There has not been official word about this. Monitor this VMSA for more information:  VMSA-2018-0002 - VMware Security & Compliance Blog - VMware Blogs

matthewmagbee
Contributor
Contributor

Cheers- Good to know.

Reply
0 Kudos
Mike_Gelhar
Enthusiast
Enthusiast

Like daphnissov said, watch Security Advisory VMSA-2018-0002 for updates but I'd plan to patch both ESXi and any guest OS as well. While you're at it, might as well check with your hardware vendor for updates relating to INTEL-SA-00086 (link below) and close those holes too.

Intel® Product Security Center

Reply
0 Kudos
Mike_Gelhar
Enthusiast
Enthusiast

I received this comment from a source within VMware,

"Guest OS patching is still required as the ESXi patches in VMSA-2018-0002 do not remediate the issues in the guest OS. The patches in VMSA-2018-0002 remediate the known variants of VM to VM exploitation."

Reply
0 Kudos
Wahnsinicka
Contributor
Contributor

We patched our Hardware (HP latest Bios 2.54)

patched our ESX (6.5 -> 201712101 and 6.0 -> 201711101)

patched our VMs OS (MS ADV180002; VM-HW Version 11)

when running "Speculation Control Validation PowerShell Script" on the VM it tells we need to update Bios/Firmware!?

Anyone ever patched this sucsessfully? Is there someting missing in the bios settings from the VMs?

spectre.png

Reply
0 Kudos
Nocriton
Contributor
Contributor

Same problem on our side.

We patched Hardware (Lenovo) and ESXi to most current version.

The Regkey from MS are also in place and we get the same output.

Reply
0 Kudos
kleinfinance
Contributor
Contributor

https://www.vmware.com/security/advisories/VMSA-2018-0004.html

This Was just released today, I ran the patch it said for me https://kb.vmware.com/s/article/52206

and now I get all green check marks from the Windows SpeculativeControl Verification script.

Wahnsinicka
Contributor
Contributor

Same here! all green.

Reply
0 Kudos
Nash3r
Contributor
Contributor

To Help other people

VMSA-2018-0002.1 

- VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

VMSA-2018-0004.1

- VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue.

pastedImage_2.png

These patches would need to be applied to your host(s)

link to patches

https://my.vmware.com/group/vmware/patch

if the first drop down box select

- ESXi (Embedded and Installable)

then select your version

Reply
0 Kudos
maxel
Enthusiast
Enthusiast

a very good summary of what is to do and how it depends is here in this KB

VMware Knowledge Base

Reply
0 Kudos
SureshKumarMuth
Commander
Commander

from my understanding , based on the available articles it is still not clear if the fix for (CVE-2017-5753) is released or not. Can anyone clarify on that...

  • Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
  • Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
  • Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown


•Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre

  -- Fix provided at hypervisor and Microcode level -- reference article https://www.vmware.com/security/advisories/VMSA-2018-0004.html
   -- Release notes of the respective fix contains the information about    CVE-2017-5715

*Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre

--- vmware article (https://kb.vmware.com/s/article/52127) mention only about the version 5.5 with respective to this CVE not about 6.0 or later,also I don't see this CVE in any of the release notes of the recent patches released for this CPU vulnerabilities

•Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown

--- Not applicable for ESXi

Regards,
Suresh
https://vconnectit.wordpress.com/
Reply
0 Kudos
Petter_Lindgren
Contributor
Contributor

Sigh...

VMware is pulling the patches:

https://kb.vmware.com/s/article/52345

We've already deployed them. Thankfully, our servers don't have the affected CPU's (Broadwell and Haswell).

Reply
0 Kudos