VMware Performance Community
niceguy001
Enthusiast
Enthusiast
Jump to solution

security mitigation of CVE-2018-3646 on ESXi version 6.7U3

the user guide 3.1 described how to mitigate the CVE-2018-3646 in page 104, which is setting up  the ESXi host parameter ''VMkernel.Boot.hyperthreadingMitigation" to ''true".

i'm wondering about if I utilize vSphere 6.7U3 with VMmark 3.1 and wanna mitigate the CVE-2018-3646 correctly, should I also set the ESXi host parameter "VMkernel.Boot.hyperthreadingMitigationIntraVM" to "false"?

these two parameters are described in VMware Knowledge Base , in which the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) must be enabled to deal with "Concurrent-context attack vector".

the user guide 3.1 p.104 only mentioned about the configuration of ''VMkernel.Boot.hyperthreadingMitigation". Does the config. of "VMkernel.Boot.hyperthreadingMitigationIntraVM" impact on VMmark test's compliance???

thx

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
jamesz08
VMware Employee
VMware Employee
Jump to solution

Correct, to use SCAv2 you would set the following

HyperthreadingMitigation = TRUE

HyperthreadingMitigationIntraVM = FALSE

The Security Mitigations table in the disclosure report only needs to indicate the vulnerability is mitigated, it does not require an indication of how it was mitigated.

View solution in original post

Reply
0 Kudos
3 Replies
jamesz08
VMware Employee
VMware Employee
Jump to solution

SCAv1 and SCAv2 both mitigate CVE-2018-3646, however SCAv2 does not mitigate Intra-VM Concurrent-context attack vector process information leakage.   

The User's Guide was published before SCAv2 was available, thus it doe not contain any information about this new feature.  At this time we accept submissions which use either solution for mitigation. 

I suggest reviewing the whitepaper we published for a detailed analysis of the performance impact of both schedulers. Performance of vSphere 6.7 Scheduling Options

Reply
0 Kudos
niceguy001
Enthusiast
Enthusiast
Jump to solution

jamesz08​ thanks for the professional answer and data!

so I think configuring parameter "VMkernel.Boot.hyperthreadingMitigationIntraVM" to false is still required to enable the SCAv2.

by the way, does setting up this parameter involve in the edit of "Security Mitigations Section of Disclosure Report" (for publication)?

thanks in advance~!

Reply
0 Kudos
jamesz08
VMware Employee
VMware Employee
Jump to solution

Correct, to use SCAv2 you would set the following

HyperthreadingMitigation = TRUE

HyperthreadingMitigationIntraVM = FALSE

The Security Mitigations table in the disclosure report only needs to indicate the vulnerability is mitigated, it does not require an indication of how it was mitigated.

Reply
0 Kudos