8 Replies Latest reply on Apr 7, 2020 5:12 AM by PH4N70M

    CVE-2018-3646

    VivekMi Lurker

      Hi friends,

      How to fix this issue .I applied VMware patches ( 6.0.0,9313334) i have this warning message on the host.

       

        • 1. Re: CVE-2018-3646
          rajen450m Hot Shot
          vExpert

          Hi Vivek,

          CVE-2018-3636, patches are meant to remediate ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere.

          So the remediation is in three phases:

          • Update Phase: Apply vSphere Updates and Patches
          • Planning Phase: Assess Your Environment
          • Scheduler-Enablement Phase: Enable the ESXi Side-Channel-Aware Scheduler

          So, you have installed and completed the update phase, so now you need to move to next phases.

          Assess your environment "where you need to check the impact of VMs with high CPU cores more than the logical process count" and next phase you enable the scheduler "where you will disable hyper-threading". Please add new hosts/capacity to cluster before disable hyper-threading to avoid resource management issues.

          or you can simply suppress the warning, where the host is still vulnerable and not completely remediated.

           

          Follow steps as per KB: L1TF Related KB Article by VMWare

           

          Regards,

          • 2. Re: CVE-2018-3646
            Dave_the_Wave Hot Shot

            When I upgraded all my hosts with VMware-ESXi-6.0.0-Update3-9313334-HPE-preGen9-600.9.8.5.4-Sep2018.iso, I got the "esx.problem.hyperthreading.unmitigated" warning.

             

            I fixed it with UserVars.SuppressHyperthreadWarning = 1

             

            Don't get so caught on these vulnerabilities. Y2K didn't kill chicken little.

            getty_182409390_142261.jpg

            • 3. Re: CVE-2018-3646
              Brookshealth Lurker

              That was exactly what I was looking for, thanks.  Now I'll call VMware and make them set this on all of my hosts.  What a colossal waste of time....

              • 4. Re: CVE-2018-3646
                A13xxx Enthusiast

                The patch is only part of it, if you want to avoid this warning either suppress it but to ensure you are protected you will need to disable hyper threading. If you do not disable hyper threading and just suppress the warning your dc will not pass the green health check because the vulnerability still exists.

                • 5. Re: CVE-2018-3646
                  cheeweng Novice

                  Hi,

                   

                  Do we still need to turn on mitigation if hardware bios was patched?

                  • 6. Re: CVE-2018-3646
                    vGuy Expert

                    Yes.

                    • 7. Re: CVE-2018-3646
                      Axis32 Lurker

                      CVE-2018-3646 (VMM) can also be mitigated by disabling hyper-threading. If microcode, BIOS, OS, and virtualization software has been updated on both hosts and guests, it is not necessary to disable hyper-threading.

                      • 8. Re: CVE-2018-3646
                        PH4N70M Lurker

                        I was facing the same warning , till i find the solution in David Pasek's Profession Blog: ESXi : This host is potentially vulnerable to issues described in CVE-2018-3646

                         

                        Select an ESXi host in the inventory.

                        1. Click the Manage tab.
                        2. Under the System heading, click Advanced System Settings.
                        3. Search for VMkernel.Boot.hyperthreadingMitigation set a value to  1

                        Then it solve the problem .