2 Replies Latest reply on Nov 27, 2018 12:49 PM by derrellb

    ESX.Problem.Hyperthreading.Unmitigated

    derrellb Lurker

      Good Morning everyone,

       

      I have a small environment in our engineering rack and I added 3 additional hosts into the mix.  When I added them into the clusters where my prepared hosts are, the new hosts did not take the VIB's.  I was finally able to force sync the hosts and they were able to get their VTEP's.

       

      When I did those, I then got the following alarm: ESX.Problem.Hyperthreading.Unmitigated

       

      all 6 of the servers are M4's.  But when I go to the Advanced system settings, only the 3 new servers have this as an option to set to true or false (Currently set to false).  The original 3 dont even have that as an advanced setting.  They all six have VMKernal.Hyperthreading and are set to "TRUE"

       

      I am not sure if forcing the sync caused this or what.  I found the KB about this but it talks about this happening when doing an upgrade.  I didn't do an upgrade.

       

      It says that it is a setting to mitigate a CVE security issue.

       

      Any thoughts?

       

      Thanks,

      Derrell

        • 1. Re: ESX.Problem.Hyperthreading.Unmitigated
          sk84 Hot Shot
          vExpert

          Do the 3 ESXi hosts where this message appears have a different build number than the other 3 hosts?

           

          This message indicates that your ESXi hosts are vulnerable to a serious vulnerability that can bypass VM isolation (see VMSA-2018-0020 ). Because it is so critical, a warning or alert is displayed.

           

          This message were introduced in the ESXi650-201808001 and ESXi670-201808001 patches. This corresponds to build 9298722 for vSphere 6.5 and build 9484548 for vSphere 6.7.

           

          Here you can compare the build numbers and releases: VMware Knowledge Base

           

          To mitigate this vulnerability you have to deactivate HyperThreading via a new advanced setting (VMkernel.Boot.hyperthreadingMitigation). But since this results in CPU performance losses, VMware has provided a workflow with 3 phases and an analysis tool. See here for more information: VMware Knowledge Base

          • 2. Re: ESX.Problem.Hyperthreading.Unmitigated
            derrellb Lurker

            Yes that was the exact issue.  I realized that a couple hours ago.  The newer build has the security fix added to the advanced settings.  It is default to "False" and you decide wither you want to make it "True" or not.

             

            The other 3 are the version prior which doesn't have this vulnerability patched.

             

            Cheers!