This post is also available in: Italian

Reading Time: 7 minutes

Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.

Actually, the only way to minimize those security risks is to patch your operating systems or the hypervisor level (if you are using virtual machines).

For VMware, this will apply to the ESXi part of vSphere. But not only… also at the VM level, you need some kind of protection. And this for all the different VMware’s hypervisors, like VMware Workstation.

More details are provided by security advisories:

  • VMSA-2018-0002.3 – VMware ESXi, Workstation, and Fusion updates address side-channel analysis due to speculative execution
  • VMSA-2018-0004.2 – VMware vSphere, Workstation, and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue – Note that some patches has been retired
  • VMSA-2018-0007 – VMware Virtual Appliance updates address side-channel analysis due to speculative execution

But there wasn’t a complete document (althought KB 52245 now summirize most of the information) and there isn’t a simple tool to verify which patches are needed. Other tools can help, for example, the recent version of Runecast Analyzer can detect MetlDown and Spectre vulnerabilities on VMWare ESXi hosts (and related VMs) and advise how to patch that.

To check if you need the patches in your vSphere environment see also this post: Meltdown and Spectre: check a vSphere environment.

This advisory documents remediation for known variants of the Bounds-Check Bypass (CVE-2017-5753) and Branch Target Injection (CVE-2017-5715) issues due to speculative execution disclosed by Google Project Zero. These issues may result in information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. A third issue due to speculative execution, Rogue Data Cache Load (CVE-2017-5754), was disclosed along with the other two issues. It does not affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides.

What is clear after the first days is that hypervisor remediation can be classified into three following categories:

  • Hypervisor-Specific Remediation (documented in VMSA-2018-0002.3)
  • Hypervisor-Assisted Guest Remediation (documented in VMSA-2018-0004.2)
  • Operating System-Specific Mitigations

Relevant Products

  • VMware vSphere ESXi (ESXi) AND vCenter Server
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Virtual Appliances
  • VMware Photon OS
  • VMware based cloud services

Solution

  • VMware vSphere 6.5: for ESXi apply patches ESXi650-201712101-SG (released on Dec, 19th 2017), ESXi650-201801401-BG, ESXi650-201801402-BG; for vCenter Server (and PSC) upgrade to version 6.5 U1e
  • VMware vSphere 6.0: for ESXi apply patches ESXi600-201711101-SG and ESXi600-201801401-BG, ESXi600-201801402-BG; for vCenter Server (and PSC) upgrade to version  6.0 U3d
  • VMware vSphere 5.5: for ESXi apply patches ESXi550-201709101-SG (this patch has remediation against CVE-2017-5715 but not against CVE-2017-5753) and ESXi550-201801401-BG; for vCenter Server (and PSC) upgrade to version 5.5 U3g
  • VMware Workstation 14: update to version 14.1.1
  • VMware Workstation 12.x: update to version 12.5.9
  • VMware Fusion 10: update to version 10.1.1
  • VMware Fusion 8: update to version 8.5.10

The previous version of vSphere (like 5.0 or 5.1) are no more supported, so one reason more to upgrade fast your infrastructure to a supported version!

Important note from the new VMware KB 52345 in case you have installed (or you are planning to install) VMware’s initial microcode patches ESXi650-201801402-BG, ESXi600-201801402-BG, and ESXi550-201801401-BG. Check first your processor model and family!

Intel has notified VMware of recent sightings that may affect some of the initial microcode patches that provide the speculative execution control mechanism for a number of Intel Haswell and Broadwell processors. The issue can occur when the speculative execution control is actually used within a virtual machine by a patched OS. At this point, it has been recommended that VMware remove exposure of the speculative-execution mechanism to virtual machines on ESXi hosts using the affected Intel processors until Intel provides new microcode at a later date. Check the VMware KB 52345 to verify the affected CPU.

Also, ensure that your VMs are using Hardware Version 9 or higher (this is mandatory). For best performance, Hardware Version 11 or higher is recommended. VMware Knowledge Base article 1010675 discusses Hardware Versions.

Anyway, it’s still not enough. There are other requirements, if applicable:

  • Deploy the Guest OS patches for CVE-2017-5715. These patches are to be obtained from your OS vendor.
  • Update the CPU microcode. Additional microcode is needed for your CPU to be able to expose the new MSRs that are used by the patched Guest OS. This microcode should be available from your hardware platform vendor.

For all VMs you have to power off (a guest reboot or VM reset it’s not enough!) in order to activate the hypervisor assisted protection!

Note that actually there isn’t yet a specific patch for the other several virtual appliances from VMware (like vSphere Replication or NSX Manager), potentially there is no need of specific patches… but anyway the best way is stay tuned for future comments or news. In part the new VMware KB 52264 reply to this question.

Note that all appliances affected, must be patched, that powered off (a VM reboot it’s not enough) and then powered on again.

Actually (Jan 12) VMware consider the following virtual appliance affect by some issues:

  • VMware Identity Manager (see KB 52284)
  • VMware vCenter Server (for 6.5 see KB 52312, for v6.0 see KB 52312)
  • VMware vSphere Integrated Containers (use v 1.3.1)
  • VMware vRealize Automation
  • vCloud Usage Meter (UM)
  • vSphere Data Protection (VDP)

And those virtual appliances not affected, if the underlying hypervisor(s) have been patched to remediate CVE-2017-5753, and CVE-2017-5715:

  • vCloud Availability for vCloud Director
  • VMware Horizon DaaS Platform
  • VMware Integrated OpenStack
  • VMware Mirage
  • VMware NSX for vSphere
  • VMware Skyline Appliance
  • VMware Unified Access Gateway
  • VMware vCenter Server 5.5
  • VMware vRealize Log Insight
  • VMware vRealize Network Insight
  • VMware vRealize Operations
  • VMware vRealize Orchestrator
  • VMware vSphere Replication
  • VMware Workspace Portal

Finally, we have to consider also the VMware OS: Photon OS has begun releasing fixes which are documented in Photon OS Security Advisories.PHSA-2018-1.0-0097

For the public cloud services, the remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017. Other cloud providers must do the same for they offer based on VMware hypervisor (or also for their hypervisors). More information is available on https://status.vmware-services.io

Other SaaS solutions like Air-watch, VMware Horizon Cloud, VMware Identity Manager SaaS have also been updated.

Performance impact

Actually, it’s difficult to define which will be the performance impact, considering that it depends on the different workloads. One of the first to measure it was RedHat with a value around 5%-20%).

At this time VMware does not provide any numbers, but in the community, somebody has started to measure it. But also VMware has recently started some benchmark and some data will be published soon… To stay tuned on VMware KB 52337.

For example see this blog post: VMware Performance Impact of Meltdown and Spectre Patches

But it’s still too early to get a good conclusion. At this time seems that the performance impact on VMware is quite telling. But it’s early to confirm it, let’s wait for VMware’s data.

See also

This is a story in rapid evolution, so be sure to read the latest VMware information, because some of them may change day by day.

Andrea MauroAbout Andrea Mauro (2837 Posts)

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-18. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-18. Nutanix NTC 2014-18. PernixPro 2014-16. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.


Share