Reading Time: 5 minutes

Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.

Actually, the only way to minimize those security risks is to patch your operating systems and the hypervisor level (if you are using virtual machines).

For Nutanix systems, you need both a patch for the CVM (the VM that runs the storage controller on each node) AND the hypervisor layer.

More details are provided by Nutanix Security Advisory #07 (Side-Channel Speculative Execution Vulnerabilities) released on Jan, 4th 2018 and updated weekly

Nutanix offers you the ability to utilize a hypervisor of your choosing, and as such one must consult with the vendor of choice. Please refer to the tables in the Affected Products section for links and information on patching either AHV, VMware ESXi, Citrix XenServer or Microsoft Hyper-V on your Nutanix cluster.

UVMs require updates available from the specific general-purpose operating system vendor in use. A list of all possible operating system vendors and their documentation on these vulnerabilities is beyond the scope of this advisory. Once the hypervisor and UVM GPOS patches are applied one must power-cycle the UVM to ensure the proper CPU microcode updates are applied and passed through to the UVM.

Virtual appliances, unlike a general-purpose system, are more purpose-built virtual machines with a tighter controlled set of applications and executed code. In many cases, these types of virtual machines do not run unknown userspace code. Please consult with the vendor specific to the virtual appliance in question for more information.

Affected Products:
Nutanix has confirmed which products and/or versions are affected by this vulnerability. Please check the Nutanix Support Portal for the latest update.

OpenStack

Product Fix Release
AHV The AHV fix for AOS versions 5.0.x and 5.1.x is applied to AHV version
20160925.103 and will be bundled in AOS version 5.0.5 and 5.1.4.
The AHV fix for AOS version 5.5.x is applied to AHV version 20170830.85 and
will be bundled with upcoming AOS version 5.5.1 and 5.5.0.4.
Standalone versions of AHV 20160925.103 and 20170830.85 are no longer
available for manual remediation. Customers wanting to consume these
versions must do so by way of AOS upgrade only at this time.
Please refer KB#5104 for more information about the AHV patches and
configuration options.
AOS Under investigation. Next update will be on Wednesday, January 31th.
AFS Under investigation. Next update will be on Wednesday, January 31th.
Prism Central Under investigation. Next update will be on Wednesday, January 31th.
X-Ray Under investigation. Next update will be on Wednesday, January 31th.
Foundation Standalone Under investigation. Next update will be on Wednesday, January 31th.
OpenStack Under investigation. Next update will be on Wednesday, January 31th.
Xtract Under investigation. Next update will be on Wednesday, January 31th.

From a remote or local exploit perspective, Nutanix have not identified an exploitable attack vector for these products. However, from a microcode and kernel perspective the focus will be on due diligence and defense in
depth. Substantial impacts are felt from these updates, and Nutanix Security and Engineering teams will continue to leverage our Security Development Lifecycle (SecDL) process to ensure the lowest threat posture for Nutanix customers.

Hardware appliances:

A microcode is needed also at the hardware level, in this case depending on the hardware and the hypervisor type.

Hardware platform Hypervisor platform CPU Microcode
All Nutanix AHV CPU microcode update via AHV upgrade. However,
IBRS functionality is being disabled until more stable
microcode can be provided. Refer to document
below for more details:
https://portal.nutanix.com/kb/5104
All VMware ESXi VMware provide a basic microcode but is not recommended on some CPU models. Check this blog post.
If there is a specific hardware vendor upgrade, this can be applied (for example for G13 and G14 Dell XC appliances).
NX G3, G4, G5, G6
(Supermicro)
Hyper-V or XenApp Currently the only option is a BIOS update. The
availability of BIOS versions with stable CPU
microcode updates for NX models is under evaluation
and contingent upon updated microcode from Intel.
Non-NX
(Dell, Lenovo, Others)
Hyper-V or XenApp Please contact your hardware vendor for guidance.


Third-Party Products:

Depending by the hypervisor you need also specific path:

Third Party Product Fix Release
VMware ESXi version 5.5
VMware ESXi version 6.0
VMware ESXi version 6.5
See guidance available in the following post.
Microsoft Hyper-V (All Supported Versions) See guidance available in this Microsoft Article.
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Citrix XenServer (All Supported Versions) See guidance available in the following Citrix article.
https://support.citrix.com/article/CTX231390

For the third party products, the best way is to check the specific vendor information. Also remember all the guest OS, check that they are updated and the protections are visible inside them.

Share