Subscribe Now

  • Twitter
  • Facebook Social Icon

Copyright © 2019 nukescloud

  • Arun Nukula

Remediation for Spectre Vulnerability

Updated: Apr 2, 2019



As you may be aware, VMware has released Spectre patches for ESXi and VC on 20th March, 2018.

Related Articles

Click to read SecurityAdvisory ( Updated VMSA-2018-0004.3 )

VMware KB describing Hypervisor-Assisted Guest Mitigation for Branch Target injection

Suggested update Sequence

It is mandatory to follow the below order to deploy the fix for Meltdown and Spectre

  1. Deploy the updated version of vCenter Server listed in VMSA-2018-0004

  2. Deploy the ESXi patches listed in VMSA-2018-0004 (though we have applied the patch to ESXi already we need to apply this patch as well)

  3. Deploy the Guest OS patches for CVE-2017-5715. These patches are to be obtained from your OS vendor.

  4. VMware recommends applying the firmware update including the CPU microcode over software patch with microcode

  5. Ensure that VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended. VMware Knowledge Base article 1010675 discusses Hardware Versions. You should follow the below sequence to update Hardware Version

  • Update VMware tools to the latest available with the patched host.

  • Update the VM hardware version to 9 or above

  • Shutdown VM using Guest OS console

  • Wait for the VM to appear powered Off in the vCenter server UI.

  • Power on the VMs

The new versions of vCenter Server set restrictions on ESXi hosts joining an Enhanced vMotion Cluster, see VMware Knowledge Base article 52085 for details.

You will not be able to migrate a VM from a patched host to a non-patched host. Please keep this in mind when preparing for upgrades.

#vSphere