Cheers- Good to know.
Like daphnissov said, watch Security Advisory VMSA-2018-0002 for updates but I'd plan to patch both ESXi and any guest OS as well. While you're at it, might as well check with your hardware vendor for updates relating to INTEL-SA-00086 (link below) and close those holes too.
I received this comment from a source within VMware,
"Guest OS patching is still required as the ESXi patches in VMSA-2018-0002 do not remediate the issues in the guest OS. The patches in VMSA-2018-0002 remediate the known variants of VM to VM exploitation."
We patched our Hardware (HP latest Bios 2.54)
patched our ESX (6.5 -> 201712101 and 6.0 -> 201711101)
patched our VMs OS (MS ADV180002; VM-HW Version 11)
when running "Speculation Control Validation PowerShell Script" on the VM it tells we need to update Bios/Firmware!?
Anyone ever patched this sucsessfully? Is there someting missing in the bios settings from the VMs?
Same problem on our side.
We patched Hardware (Lenovo) and ESXi to most current version.
The Regkey from MS are also in place and we get the same output.
1 person found this helpful
This Was just released today, I ran the patch it said for me https://kb.vmware.com/s/article/52206
and now I get all green check marks from the Windows SpeculativeControl Verification script.
Same here! all green.
To Help other people
- VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
- VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue.
These patches would need to be applied to your host(s)
link to patches
if the first drop down box select
- ESXi (Embedded and Installable)
then select your version
from my understanding , based on the available articles it is still not clear if the fix for (CVE-2017-5753) is released or not. Can anyone clarify on that...
- Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
- Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
- Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown
•Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
-- Fix provided at hypervisor and Microcode level -- reference article https://www.vmware.com/security/advisories/VMSA-2018-0004.html
-- Release notes of the respective fix contains the information about CVE-2017-5715
*Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
--- vmware article (https://kb.vmware.com/s/article/52127) mention only about the version 5.5 with respective to this CVE not about 6.0 or later,also I don't see this CVE in any of the release notes of the recent patches released for this CPU vulnerabilities
•Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown
--- Not applicable for ESXi