Just as a verification question ... I need to Patch esxi AND the guest OS's correct? I am seeing all this nonsense about the esxi patch keeping the guests protected. I don't see that working- I just want to make sure that claim is false. I mean- that would be great if I could just patch my hosts instead of the thousands of systems. but -- you know.
There has not been official word about this. Monitor this VMSA for more information: VMSA-2018-0002 - VMware Security & Compliance Blog - VMware Blogs
Cheers- Good to know.
Like daphnissov said, watch Security Advisory VMSA-2018-0002 for updates but I'd plan to patch both ESXi and any guest OS as well. While you're at it, might as well check with your hardware vendor for updates relating to INTEL-SA-00086 (link below) and close those holes too.
I received this comment from a source within VMware,
"Guest OS patching is still required as the ESXi patches in VMSA-2018-0002 do not remediate the issues in the guest OS. The patches in VMSA-2018-0002 remediate the known variants of VM to VM exploitation."
We patched our Hardware (HP latest Bios 2.54)
patched our ESX (6.5 -> 201712101 and 6.0 -> 201711101)
patched our VMs OS (MS ADV180002; VM-HW Version 11)
when running "Speculation Control Validation PowerShell Script" on the VM it tells we need to update Bios/Firmware!?
Anyone ever patched this sucsessfully? Is there someting missing in the bios settings from the VMs?
Same problem on our side.
We patched Hardware (Lenovo) and ESXi to most current version.
The Regkey from MS are also in place and we get the same output.
https://www.vmware.com/security/advisories/VMSA-2018-0004.html
This Was just released today, I ran the patch it said for me https://kb.vmware.com/s/article/52206
and now I get all green check marks from the Windows SpeculativeControl Verification script.
Same here! all green.
To Help other people
- VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
- VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue.
These patches would need to be applied to your host(s)
link to patches
https://my.vmware.com/group/vmware/patch
if the first drop down box select
- ESXi (Embedded and Installable)
then select your version
a very good summary of what is to do and how it depends is here in this KB
from my understanding , based on the available articles it is still not clear if the fix for (CVE-2017-5753) is released or not. Can anyone clarify on that...
•Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
-- Fix provided at hypervisor and Microcode level -- reference article https://www.vmware.com/security/advisories/VMSA-2018-0004.html
-- Release notes of the respective fix contains the information about CVE-2017-5715
*Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
--- vmware article (https://kb.vmware.com/s/article/52127) mention only about the version 5.5 with respective to this CVE not about 6.0 or later,also I don't see this CVE in any of the release notes of the recent patches released for this CPU vulnerabilities
•Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown
--- Not applicable for ESXi
Sigh...
VMware is pulling the patches:
https://kb.vmware.com/s/article/52345
We've already deployed them. Thankfully, our servers don't have the affected CPU's (Broadwell and Haswell).