Hello. Hope you can help. New to VmWare and need advice re: patching
I've just updated a stand alone ESXi server from 6.0 to 6.7 Update 2 (Build 13006603) by booting from a CD. Worked fine but I'm now getting the warning message "This host is potentially vulnerable to issues described in CVE-2018-3646"
Checked the Vmware article https://www.vmware.com/security/advisories/VMSA-2018-0020.html
This is my understanding of what I should do
Concurrent-context attack vector - Disable Hyperthreading after applying patches (Don't think we're going to disable hyperthreading). To supress the warning message change UserVars.SuppressHyperthreadWarning from 0 to 1 according to https://kb.vmware.com/s/article/57374
As the patches for this fix were released in Aug 2018 and 6.7 Update 2 was released in Apr 2019 do I actually need to install the 3 patches or would they have been included in 6.7 update 2 ?
Is it just a case of supressing the HyperThread warning message ?
Thanks
Yes, please go ahead and suppress the warning.
If you think this resolve your issue, please mark this as Answered.
---------------------------------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.
As per my knowledge this issue is related with the Intel CPU bug and still no resolution available.
We have 2 workaround for this issue as you already mentioned.
1. Disable Hyper threading which will bring your hosts in complaint state but VM will hit the performance issue.
2. Suppress the warning. This will keep your hosts in non-complaint state but no hit for the VM's performance.
Thanks for replying so quickly
Just to confirm - The 3 patches should already be installed as part of 6.7 update 2 then ? I just need to surpress the error message ?
Yes, please go ahead and suppress the warning.
If you think this resolve your issue, please mark this as Answered.
---------------------------------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.
Thanks for your quick response
Hello,
What about if you are running ESXi-7.0U3d-19482537-standard (VMware, Inc.)
I still see that notifications on my servers and when I added them to vCenter they went into Maintenance mode.
How can I fix this?
Thanks
