Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.

Actually, the only way to minimize those security risks is to patch your operating systems and the hypervisor level (if you are using virtual machines).

For Nutanix systems, you need both a patch for the CVM (the VM that runs the storage controller on each node) AND the hypervisor layer.

More details are provided by Nutanix Security Advisory #07 (Side-Channel Speculative Execution Vulnerabilities) released on Jan, 4th 2018.

Nutanix offers you the ability to utilize a hypervisor of your choosing, and as such one must consult with the vendor of choice. Please refer to the tables in the Affected Products section for links and information on patching either AHV, VMware ESXi, Citrix XenServer or Microsoft Hyper-V on your Nutanix cluster.

UVMs require updates available from the specific general-purpose operating system vendor in use. A list of all possible operating system vendors and their documentation on these vulnerabilities is beyond the scope of this advisory. Once the hypervisor and UVM GPOS patches are applied one must power-cycle the UVM to ensure the proper CPU microcode updates are applied and passed through to the UVM.

Virtual appliances, unlike a general-purpose system, are more purpose-built virtual machines with a tighter controlled set of applications and executed code. In many cases, these types of virtual machines do not run unknown userspace code. Please consult with the vendor specific to the virtual appliance in question for more information.

Affected Products:
Nutanix has confirmed which products and/or versions are affected by this vulnerability. Please check the Nutanix Support Portal for the latest update.

Product Fix Release
AHV The AHV fix for AOS versions 5.0.x and 5.1.x is applied to AHV version
20160925.103 which is available standalone on the Nutanix support portal,
and will be bundled with upcoming AOS versions 5.0.5 and 5.1.4
respectively.
The AHV fix for AOS version 5.5.x is applied to AHV version 20170830.85,
which is available standalone on the Nutanix support portal, and will be
bundled with upcoming AOS version 5.5.1.
Please refer KB#5104 for more information about the AHV patches and
configuration options.
AOS Evaluating if patches are needed. Next Update by Jan 17th.
AFS Evaluating if patches are needed. Next Update by Jan 17th.
Prism Central Evaluating if patches are needed. Next Update by Jan 17th.
X-Ray Evaluating if patches are needed. Next Update by Jan 17th.
Foundation Standalone Evaluating if patches are needed. Next Update by Jan 17th.
OpenStack Evaluating if patches are needed. Next Update by Jan 17th.
Xtract Evaluating if patches are needed. Next Update by Jan 17th.

Hardware appliances:

A microcode is needed also at the hardware level, in this case depending on the hardware and the hypervisor type.

Hardware platform Hypervisor platform CPU Microcode
All Nutanix AHV CPU microcode update via AHV upgrade. Refer to
document below for more details:
https://portal.nutanix.com/kb/5104
All VMware ESXi VMware provide a basic microcode but is not recommended on some CPU models. Check this blog post.
If there is a specific hardware vendor upgrade, this can be applied (for example for G13 and G14 Dell XC appliances).
NX G3, G4, G5, G6
(Supermicro)
Hyper-V or XenApp Currently the only option is a BIOS update. The
availability of BIOS versions with stable CPU
microcode updates for NX models is under evaluation.
Non-NX
(Dell, Lenovo, Others)
Hyper-V or XenApp Please contact your hardware vendor for guidance.


Third-Party Products:

Depending by the hypervisor you need also specific path:

Third Party Product Fix Release
VMware ESXi version 5.5
VMware ESXi version 6.0
VMware ESXi version 6.5
See guidance available in the following post.
Microsoft Hyper-V (All Supported Versions) See guidance available in this Microsoft Article.
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Citrix XenServer (All Supported Versions) See guidance available in the following Citrix article.
https://support.citrix.com/article/CTX231390

For the third party products, the best way is to check the specific vendor information. Also remember all the guest OS, check that they are updated and the protections are visible inside them.

In the last week, this post has already been read 47 times!

Andrea MauroAbout Andrea Mauro (2593 Posts)

Virtualization & Cloud Architect.
VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert (2010, 2011, 2012, 2013, 2014, 2015). PernixPro 2014. Dell TechCenter Rockstar 2014. MVP 2014.
Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.


Related Post

Share