Hi VMware Community,
I have opened a VMware Support request, but have got no qualified answer in a week, so perhaps someone here in the community can help me.
We have a fully patched Environment to mitigate the meltdown & spectre vulnerabilities. But all testing tools are saying that the systems are attackable, and VMware Support told me that they are
not responsible for the Windows VMs. But from the Microsoft side all things are done, patches installed and the needed registry values for Windows Servers are there.
The Technical Details of the Environment:
- The customer has a 2-node VMware ESXi 5.5 Cluster
- Host-Patchlevel is ESXi 5.5 U3h (Build 7618464)
- Server-Hardware = Fujitsu Primergy RX 200 S8
- Bios Updates are installed V188.8.131.52 - R1.18.0
BIOS V184.108.40.206 R1.18.0 for D3302-A1x (12.02.2018)
Update CPU Microcode to ID=0000042C
Fixed side-channel analysis security flaws - known as Spectre & Meltdown
- Windows VMs patched (Microsoft Updates installed)
- VMs (Windows Server 2008 R2) rebooted (Full Powercycle) :
Microsoft PowerShell Query "Get-SpeculationControlSettings" Shows inside VMs that Hardware Support is not present.
Output of PowerShell Script: "Hardware support for branch target injection mitigation is present: False"
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
How can check that Meltdown & Spectre Mitigation is correctly configured on the VMware side?
The PowerCLI Script from:
shows that Meltdown/Spectre mitigation is not working but I know that this is not an official VMware script, so is there an official solution to query the mitigation status?
Output of Script for all VMs = HypervisorAssistedGuestAffected = True
I further checked the VMware KB article KB52085
Confirmation of Correct Operation
To confirm a host has both patched microcode and patched VMware hypervisor, use the following steps:
- Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
- Examine the vmware.log file for that VM and look for one of the following entries:
- “Capability Found: cpuid.IBRS”
- “Capability Found: cpuid.IBPB”
- “Capabliity Found: cpuid.STIBP”
- Any of the above log entires indicate that both the CPU microcode and hypervisor are properly updated.
1. = VM Hardware Version is = 10
2. = VMware.log checks no entries like that are there
I would really appreciate any help.