VMware vSphere also affected by multiple vulnerabilities since its uses Intel/AMD platforms. VMware vSphere has multiple layers of virtualization and sadly, you should apply/update the patches for all the components which includes Operating systems, virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode. Operating system patches can reduce the risk with help of hypervisor patches without updating the server firmware (CPU microcode update) but it would be more secure if you update the hardware firmware as along with Hypervisor update and VM guest patching (Linux/Windows).
Would you like to know more about Meltdown & Spectre? Check out here.
Here is the list of three discovered Meltdown and Spectre variants:
- Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
- Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
- Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown
VMware classifies the mitigation in the below listed category.
- Hypervisor-Specific Mitigation
- Hypervisor-Assisted Guest Mitigation
- Operating System-Specific Mitigations
You must know about all the three different type mitigation before applying the patches since it could lead to performance issues.
Hypervisor-Specific Mitigation:
VMware Hypervisor is affected by Spectre – variant 1 & Variant 2. Meltdown doesn’t affect VMware vShpere hypervisor but guest require patches for both Spectre & Meltdown Vulnerabilities.
Hypervisor-Assisted Guest Mitigation
It virtualizes the new speculative-execution control mechanism for guest VMs so that a Guest OS can mitigate leakage between processes within the VM. This mitigation requires that specific microcode patches that provide the mechanism are already applied to a system’s processor(s) either by ESXi or by a firmware/BIOS update from the system vendor.
Operating System-Specific Mitigation:
Mitigation for Operating Systems are provided by respective OS Vendors. If you have virtual appliances, virtual appliance vendor will need to integrate these into their appliances and provide an updated appliance.
VMware Products which are affected by Spectre:
- VMware vSphere ESXi (ESXi)
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware vCenter Server (VC)
Hypervisor-Specific Mitigation:
VMware Product | Product Version | Apply Patch | Mitigation/ Workaround |
ESXi | 6.5 | ESXi650-201712101-SG | None |
ESXi | 6 | ESXi600-201711101-SG | None |
ESXi | 5.5 | ESXi550-201709101-SG* | None |
Workstation | 14 | Not Affected | None |
Workstation | 12 | 12.5.8 | None |
Fusion | 10x | Not Affected | None |
Fusion | 8x | 8.5.9 | None |
* This patch mitigates CVE-2017-5715 but not CVE-2017-5753.
Hypervisor-Assisted Guest Remediation:
(Not Recommended by VMware due to microcode issue. )
To remediate CVE-2017-5715 in the Guest OS, the following VMware and third-party requirements must be met:
VMware Requirements
- Deploy the updated version of vCenter Server listed in the table (if vCenter Server is used).
- Deploy the ESXi patches and/or the new versions for Workstation or Fusion listed in the table.
- Ensure that your VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended. VMware Knowledge Base article 1010675 discusses Hardware Versions.
Third party Requirements
- Deploy the Guest OS patches for CVE-2017-5715. These patches are to be obtained from your OS vendor.
- Update the CPU microcode. Additional microcode is needed for your CPU to be able to expose the new MSRs that are used by the patched Guest OS. This microcode should be available from your hardware platform vendor.
VMware is providing several versions of the required microcode from Intel and AMD through ESXi patches listed in the table. See VMware Knowledge Base 52085 for more details.
VMware Product | Product Version | Apply Patch | Mitigation/ Workaround |
vCenter | 6.5 | 6.5 U1e* | None |
vCenter | 6 | 6.0 U3d* | None |
vCenter | 5.5 | 5.5 U3g* | None |
ESXi | 6.5 | ESXi650-201801401-BGESXi650-201801402-BG** | None |
ESXi | 6 | ESXi600-201801401-BG ESXi600-201801402-BG** | None |
ESXi | 5.5 | ESXi550-201801401-BG** | None |
“Intel has notified VMware of recent sightings that may affect some of the initial microcode patches that provide the speculative execution control mechanism for a number of Intel Haswell and Broadwell processors. The issue can occur when the speculative execution control is actually used within a virtual machine by a patched OS. At this point, it has been recommended that VMware remove exposure of the speculative-execution mechanism to virtual machines on ESXi hosts using the affected Intel processors until Intel provides new microcode at a later date.”
Read more about the VMware KB article.
Affected VMware Virtual Appliances : (VMware KB)
- VMware Identity Manager (Workaround KB 52284)
- VMware vCenter Server 6.5 (Workaround KB 52312)
- VMware vCenter Server 6.0 (Workaround KB 52312)
- VMware vSphere Integrated Containers
- VMware vRealize Automation
Unaffected Virtual Appliances : (VMware KB)
- vCloud Availability for vCloud Director
- VMware Horizon DaaS Platform
- VMware Integrated OpenStack
- VMware Mirage
- VMware NSX for vSphere
- VMware NSX-T
- VMware Skyline Appliance
- VMware Unified Access Gateway
- VMware vCenter Server 5.5
- VMware vRealize Log Insight
- VMware vRealize Network Insight
- VMware vRealize Operations
- VMware vRealize Orchestrator
- VMware vSphere Replication
- VMware Workspace Portal
Performance issue:
VMware is closely working with performance team to evaluate the patch testing to check performance costs of the Meltdown/Spectre mitigation for vSphere. Please check this VMware KB article on regular basis to know more on this.
George Perkins says
No mention of the impact on vMotion compatibilty checks when migration a VM from patched to unpatched or vice-versa. There are known problems, but I am having trouble finding a definitive best practice description to mitigate how the Spectre/Meltdown patch breaks EVC in vSphere clusters. Can you recommend KBs or blogs?