VMware Spectre Variant 2 CVE-2017-5715 with cpu microcode fix released!!

I noticed that my ESXi hosts had new patches today and apparently VMware has finally released the patch for Spectre Variant 2 CVE-2017-5715 version 2 which utilizes the new updated CPU microcode patch listed in VMware Security Advisory .

A colleague of mine illustrated the requirements similar to the one below which I found interesting and easy to read. Basically you will need to ensure that ALL the layers have the Spectre-2 patch and fulfilled the necessary requirements for your VM to be protected.

IMPORTANT: Remember to upgrade the vCenter servers / appliance first as you may not be able to vmotion your VMs if you don’t.

The following is an excerpt from VMware KB 52085:

vMotion and EVC Information

An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available.
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented.
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster.
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated.  At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster.

 

Other requirements remain the same as the patch that was previously pulled back by VMware.

  1. VM Hardware v9 or above with v11 being the recommended minimum.
  2. This patch is dependent on the CPU microcode (server firmware) update from your hardware vendor. At the moment, Dell has already released the updated firmware for most servers. Cisco UCS firmware has also been released. Make sure you adhere to the UCS Fabric Interconnect/server firmware compatibility matrix.
  3. Finally, install the guest OS patch for CVE-2017-5715 to complete the process. You OS will not be completely patched unless, all layers (hardware firmware, hypervisor (vSphere) and guest OS) are patched.
    1. Microsoft Windows – Refer to Microsoft KB 4072698 on patches/registry entries required as well as PowerShell commands to verify if protections have been enabled.
    2. Linux – There’s a script on GitHub which checks if your VM is vulnerable to Spectre and Meltdown.

Refer to VMware KB 52337 if you are concerned with performance degradation due to the patch.

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.