Remediation for Spectre Vulnerability
Updated: Apr 2, 2019
As you may be aware, VMware has released Spectre patches for ESXi and VC on 20th March, 2018.
Click to read SecurityAdvisory ( Updated VMSA-2018-0004.3 )
Suggested update Sequence
It is mandatory to follow the below order to deploy the fix for Meltdown and Spectre
Deploy the updated version of vCenter Server listed in VMSA-2018-0004
Deploy the ESXi patches listed in VMSA-2018-0004 (though we have applied the patch to ESXi already we need to apply this patch as well)
Deploy the Guest OS patches for CVE-2017-5715. These patches are to be obtained from your OS vendor.
VMware recommends applying the firmware update including the CPU microcode over software patch with microcode
Ensure that VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended. VMware Knowledge Base article 1010675 discusses Hardware Versions. You should follow the below sequence to update Hardware Version
Update VMware tools to the latest available with the patched host.
Update the VM hardware version to 9 or above
Shutdown VM using Guest OS console
Wait for the VM to appear powered Off in the vCenter server UI.
Power on the VMs
The new versions of vCenter Server set restrictions on ESXi hosts joining an Enhanced vMotion Cluster, see VMware Knowledge Base article 52085 for details.
You will not be able to migrate a VM from a patched host to a non-patched host. Please keep this in mind when preparing for upgrades.