VMware Cloud Community
jprovine7
Expert
Expert
Jump to solution

Patches for spectre

Has anyone applied the recent release patches for spectre, I wanted to make sure there are no issues before I apply them to my esxi hosts

Patches - release date 3/20/2018

EXXi550-201803401-BG    https://kb.vmware.com/s/article/52449

EXXi550-201803402-BG   https://kb.vmware.com/s/article/52450

1 Solution

Accepted Solutions
jprovine7
Expert
Expert
Jump to solution

This went fine I just updated using the update manager

-----------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

Reply
0 Kudos
22 Replies
ashwin_prakash
VMware Employee
VMware Employee
Jump to solution

Make sure the update process is followed as recommended, So that you would not face any issues on the host post upgrading.

Operating systems (OS), virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode must all be patched or upgraded for effective mitigation of these known variants.

Below mentioned are few KBs for your reference, Which are discussed in detail.

VMware Knowledge Base

VMware Knowledge Base 

VMware Knowledge Base

Sincerely,
Ashwin Prakash
Skyline Support Moderator
Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

I put a patch on the host when the first issues one shortly after the issue was brought to light and then they recall it. I do not want be in that same situation where they release and recall the patch. So are you saying that you have applied these patches yourself and have seen no issues? That they have not be recalled?

Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

By these patches i mean the ones I first mentioned, have you successfully applied these with no issues and there has not been any recall

EXXi550-201803401-BG    https://kb.vmware.com/s/article/52449

EXXi550-201803402-BG   https://kb.vmware.com/s/article/52450

Reply
0 Kudos
ashwin_prakash
VMware Employee
VMware Employee
Jump to solution

VMware recalled the patched because Intel recalled the patch which they had released for Microcode.

They would be releasing the Microcode by the hardware vendor.

Since the Microcode was not available, VMware had to recall the patch.

VMware Knowledge Base

This KB was only relevant for organizations that had deployed ESXi650-201801402-BG, ESXi600-201801402-BG, and/or ESXi550-201801401-BG which were pulled down on 01/12/18. VMware’s recommendation is to instead follow the procedure laid out in Hypervisor-Assisted Guest Mitigation for branch target injection. Note that ESXi650-201803401-BG, ESXi600-201803401-BG, and ESXi550-201803401-BG will remove the workaround line below from /etc/vmware/config when applied. Host profiles in ESXi 6.5 may re-introduce the workaround under certain circumstances, see KB52460 for more information. This KB article (52345) will remain published for historical purposes.

It has been updated by VMware if you refer to the above KB.

We have updated in our Lab Environment with the same process and we havent observed any issues till date.

Process Followed:

1. Upgrade vCenter

2. Apply ESXi patches

3. Apply the Microcode/BIOS updates

4. Updated firmware and Drivers.

5. Apply all security patches for your Guest OS

6. VMs are using Virtual Hardware Version 9 and above.

Sincerely,
Ashwin Prakash
Skyline Support Moderator
Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

Back in January 2018 we deployed the following two patches

EXXi550-201801301-BG 1/22/2018

EXXi550-201801401-BG   1/9/2018

Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

Is there a process to remove a patch if it causes issues?

Reply
0 Kudos
ashwin_prakash
VMware Employee
VMware Employee
Jump to solution

If there is an issue, You could always revert to the previous build.

While the ESXI server is booting you would get the option to Press Shit + r to revert to a previous version of ESXi.

VMware Knowledge Base

Sincerely,
Ashwin Prakash
Skyline Support Moderator
jprovine7
Expert
Expert
Jump to solution

Thanks

As you can see from the list from January I did put the recalled patch on

EXXi550-201801401-BG   1/9/2018

and I am planning on putting both of the new releases on this week

EXXi550-201803401-BG    https://kb.vmware.com/s/article/52449

EXXi550-201803402-BG   https://kb.vmware.com/s/article/52450

Reply
0 Kudos
ashwin_prakash
VMware Employee
VMware Employee
Jump to solution

You could implement the patches on the ESXi host, which you have mentioned.

ESXi550-201803401-BG

ESXi550-201803402-BG

Make sure that you follow the upgrade process as mentioned in the documents.

Below KB lists the Intel and AMD processors for which microcode updates were included in ESXi patches ESXi650-201803402-BG, ESXi600-201803402-BG, and ESXi550-201803402-BG:

VMware Knowledge Base

Please contact your hardware vendor to determine if BIOS/firmware updates are recommended as there may be additional improvements included with those updates.

Sincerely,
Ashwin Prakash
Skyline Support Moderator
Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

LOL yes I can implement them but the purpose of this thread was to find out if there are any down sides to applying them, and I will admit I don't think that question as has been answered

Reply
0 Kudos
ashwin_prakash
VMware Employee
VMware Employee
Jump to solution

I havent seen any thing which has been creating issues on the ESXi hosts after applying these Patch.

ESXi550-201803401-BG

ESXi550-201803402-BG

Previous patch which was recovered had few issues, but with these patches, we have not observed issues on the host as of now.

Sincerely,
Ashwin Prakash
Skyline Support Moderator
jprovine7
Expert
Expert
Jump to solution

My plan is to install the patches using the update manager where they showed up when I scanned for patches

Reply
0 Kudos
ashwin_prakash
VMware Employee
VMware Employee
Jump to solution

Yes, VMware ESXi patches would be listed once you download the latest patches and scan on the host.

Sincerely,
Ashwin Prakash
Skyline Support Moderator
Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

Yes that is exactly what i said they showed up in the update manager and I plan to install them from there, but the information you provided seemed to focus on the manual install not using the update manager

Reply
0 Kudos
ashwin_prakash
VMware Employee
VMware Employee
Jump to solution

The Process that I have shared is for the components that needs to be upgraded before upgrading ESXi and components that needs to be upgraded post upgrading the vCenter.

You could use either the Update manager or manually download and use the command to patch the host. Which ever process you are comfortable.

Sincerely,
Ashwin Prakash
Skyline Support Moderator
Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

Looks to me that the update manager is the most simple way to do it.

jprovine7
Expert
Expert
Jump to solution

This went fine I just updated using the update manager

-----------------------------------------

Was it helpful? Let us know by completing this short survey here.

Reply
0 Kudos
cypherx
Hot Shot
Hot Shot
Jump to solution

Using VUM, it took us up to ESXi 6.0.0, 7967664.  No issues yet.

Yes we did early adopt the patches in January.  So this one just overwrote those I guess.

Reply
0 Kudos
jprovine7
Expert
Expert
Jump to solution

Yeah we adopted the patches in January too and as far as I could tell they did not help or hurt.  According to our crowstrike monitoring of our devices it does not appear as thought there is a fix for spectre yet.

Reply
0 Kudos