Highlighted
Contributor
Contributor

spectre and meltdown patch verification...

Just as a verification question ... I need to Patch esxi AND the guest OS's correct?  I am seeing all this nonsense about the esxi patch keeping the guests protected. I don't see that working- I just want to make sure that claim is false. I mean- that would be great if I could just patch my hosts instead of the thousands of systems. but -- you know.

0 Kudos
12 Replies
Highlighted
Immortal
Immortal

There has not been official word about this. Monitor this VMSA for more information:  VMSA-2018-0002 - VMware Security & Compliance Blog - VMware Blogs

Highlighted
Contributor
Contributor

Cheers- Good to know.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Like daphnissov said, watch Security Advisory VMSA-2018-0002 for updates but I'd plan to patch both ESXi and any guest OS as well. While you're at it, might as well check with your hardware vendor for updates relating to INTEL-SA-00086 (link below) and close those holes too.

Intel® Product Security Center

0 Kudos
Highlighted
Enthusiast
Enthusiast

I received this comment from a source within VMware,

"Guest OS patching is still required as the ESXi patches in VMSA-2018-0002 do not remediate the issues in the guest OS. The patches in VMSA-2018-0002 remediate the known variants of VM to VM exploitation."

0 Kudos
Highlighted
Contributor
Contributor

We patched our Hardware (HP latest Bios 2.54)

patched our ESX (6.5 -> 201712101 and 6.0 -> 201711101)

patched our VMs OS (MS ADV180002; VM-HW Version 11)

when running "Speculation Control Validation PowerShell Script" on the VM it tells we need to update Bios/Firmware!?

Anyone ever patched this sucsessfully? Is there someting missing in the bios settings from the VMs?

spectre.png

0 Kudos
Highlighted
Contributor
Contributor

Same problem on our side.

We patched Hardware (Lenovo) and ESXi to most current version.

The Regkey from MS are also in place and we get the same output.

0 Kudos
Highlighted
Contributor
Contributor

https://www.vmware.com/security/advisories/VMSA-2018-0004.html

This Was just released today, I ran the patch it said for me https://kb.vmware.com/s/article/52206

and now I get all green check marks from the Windows SpeculativeControl Verification script.

Highlighted
Contributor
Contributor

Same here! all green.

0 Kudos
Highlighted
Contributor
Contributor

To Help other people

VMSA-2018-0002.1 

- VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

VMSA-2018-0004.1

- VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue.

pastedImage_2.png

These patches would need to be applied to your host(s)

link to patches

https://my.vmware.com/group/vmware/patch

if the first drop down box select

- ESXi (Embedded and Installable)

then select your version

0 Kudos
Highlighted
Enthusiast
Enthusiast

a very good summary of what is to do and how it depends is here in this KB

VMware Knowledge Base

0 Kudos
Highlighted
Commander
Commander

from my understanding , based on the available articles it is still not clear if the fix for (CVE-2017-5753) is released or not. Can anyone clarify on that...

  • Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
  • Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
  • Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown


•Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre

  -- Fix provided at hypervisor and Microcode level -- reference article https://www.vmware.com/security/advisories/VMSA-2018-0004.html
   -- Release notes of the respective fix contains the information about    CVE-2017-5715

*Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre

--- vmware article (https://kb.vmware.com/s/article/52127) mention only about the version 5.5 with respective to this CVE not about 6.0 or later,also I don't see this CVE in any of the release notes of the recent patches released for this CPU vulnerabilities

•Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown

--- Not applicable for ESXi

Regards, Suresh https://vconnectit.wordpress.com/
0 Kudos
Highlighted
Contributor
Contributor

Sigh...

VMware is pulling the patches:

https://kb.vmware.com/s/article/52345

We've already deployed them. Thankfully, our servers don't have the affected CPU's (Broadwell and Haswell).

0 Kudos