Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.
Actually, the only way to minimize those security risks is to patch your operating systems and the hypervisor level (if you are using virtual machines).
For Nutanix systems, you need both a patch for the CVM (the VM that runs the storage controller on each node) AND the hypervisor layer.
More details are provided by Nutanix Security Advisory #07 (Side-Channel Speculative Execution Vulnerabilities) released on Jan, 4th 2018 and updated weekly
Nutanix offers you the ability to utilize a hypervisor of your choosing, and as such one must consult with the vendor of choice. Please refer to the tables in the Affected Products section for links and information on patching either AHV, VMware ESXi, Citrix XenServer or Microsoft Hyper-V on your Nutanix cluster.
UVMs require updates available from the specific general-purpose operating system vendor in use. A list of all possible operating system vendors and their documentation on these vulnerabilities is beyond the scope of this advisory. Once the hypervisor and UVM GPOS patches are applied one must power-cycle the UVM to ensure the proper CPU microcode updates are applied and passed through to the UVM.
Virtual appliances, unlike a general-purpose system, are more purpose-built virtual machines with a tighter controlled set of applications and executed code. In many cases, these types of virtual machines do not run unknown userspace code. Please consult with the vendor specific to the virtual appliance in question for more information.
Affected Products:
Nutanix has confirmed which products and/or versions are affected by this vulnerability. Please check the Nutanix Support Portal for the latest update.
OpenStack
| Product | Fix Release |
| AHV | The AHV fix for AOS versions 5.0.x and 5.1.x is applied to AHV version 20160925.103 and will be bundled in AOS version 5.0.5 and 5.1.4. The AHV fix for AOS version 5.5.x is applied to AHV version 20170830.85 and will be bundled with upcoming AOS version 5.5.1 and 5.5.0.4. Standalone versions of AHV 20160925.103 and 20170830.85 are no longer available for manual remediation. Customers wanting to consume these versions must do so by way of AOS upgrade only at this time. Please refer KB#5104 for more information about the AHV patches and configuration options. |
| AOS | Under investigation. Next update will be on Wednesday, January 31th. |
| AFS | Under investigation. Next update will be on Wednesday, January 31th. |
| Prism Central | Under investigation. Next update will be on Wednesday, January 31th. |
| X-Ray | Under investigation. Next update will be on Wednesday, January 31th. |
| Foundation Standalone | Under investigation. Next update will be on Wednesday, January 31th. |
| OpenStack | Under investigation. Next update will be on Wednesday, January 31th. |
| Xtract | Under investigation. Next update will be on Wednesday, January 31th. |
From a remote or local exploit perspective, Nutanix have not identified an exploitable attack vector for these products. However, from a microcode and kernel perspective the focus will be on due diligence and defense in
depth. Substantial impacts are felt from these updates, and Nutanix Security and Engineering teams will continue to leverage our Security Development Lifecycle (SecDL) process to ensure the lowest threat posture for Nutanix customers.
Hardware appliances:
A microcode is needed also at the hardware level, in this case depending on the hardware and the hypervisor type.
| Hardware platform | Hypervisor platform | CPU Microcode |
| All | Nutanix AHV | CPU microcode update via AHV upgrade. However, IBRS functionality is being disabled until more stable microcode can be provided. Refer to document below for more details: https://portal.nutanix.com/kb/5104 |
| All | VMware ESXi | VMware provide a basic microcode but is not recommended on some CPU models. Check this blog post. If there is a specific hardware vendor upgrade, this can be applied (for example for G13 and G14 Dell XC appliances). |
| NX G3, G4, G5, G6 (Supermicro) |
Hyper-V or XenApp | Currently the only option is a BIOS update. The availability of BIOS versions with stable CPU microcode updates for NX models is under evaluation and contingent upon updated microcode from Intel. |
| Non-NX (Dell, Lenovo, Others) |
Hyper-V or XenApp | Please contact your hardware vendor for guidance. |
Third-Party Products:
Depending by the hypervisor you need also specific path:
| Third Party Product | Fix Release |
| VMware ESXi version 5.5 VMware ESXi version 6.0 VMware ESXi version 6.5 |
See guidance available in the following post. |
| Microsoft Hyper-V (All Supported Versions) | See guidance available in this Microsoft Article. https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution |
| Citrix XenServer (All Supported Versions) | See guidance available in the following Citrix article. https://support.citrix.com/article/CTX231390 |
For the third party products, the best way is to check the specific vendor information. Also remember all the guest OS, check that they are updated and the protections are visible inside them.
Related Posts
Andrea Mauro
Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.
