Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.
As per the initial VMware Security Advisory, the specified patches should be applied for remediation. Remember, these patches remediate known issues. Definitely, watch for additional patches as exploits may continue to surface. If you are needing to patch your ESXi host per the advisory, you can do so through VMware Update Manager (VUM).
Update – VMware has removed patches to address Hypervisor-Assisted Guest Mitigation (VMSA-2018-04).
As a recap, patches have been released to address Hypervisor-Specific Remediation (VMSA-2018-02) and
Hypervisor-Assisted Guest Remediation (VMSA-2018-04). For more detail, check out this VMware KB detailing these responses.
VMware Patch Numbers for ESXi Versions (VMSA-2018-02):
- ESXi 6.5 – ESXi650-201712101-SG
- ESXi 6.0 – ESXi600-201711101-SG
- ESXi 5.5 – ESXi550-201709101-SG
- This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753
VMware Patch Numbers for ESXi Versions (VMSA-2018-04)
ESXi 6.5 – ESXi650-201801401-BG, ESXi650-201801402-BG ESXi 6.0 – ESXi600-201801401-BG, ESXi600-201801402-BG ESXi 5.5 – ESXi550-201801401-BG
For this example, we will be patching VMware ESXi 6.5 with patch ESXi650-201712101-SG. Additional patches can be applied in the same manner. Read the release notes or security advisories before patching as other components may need to be patched first.
Let’s begin! Log in to the vSphere web client and select the host or cluster for remediation. Locate the Update Manager tab and select Attach Baseline.
From the Patch Baselines, select Non-Critical and Critical Host Patches. Press OK.
Click Scan for Updates, to verify compliance.
If patching is needed, the compliance status will come back as Non-Compliant.
In the non-compliant list, we can see our host is missing the ESXi650-201712101-SG patch.
Next, we will set the remediation options. Click Remediate to begin the process.
Select the patch baselines to remediate.
Select the host(s) for remediation.
Select the specific patch to apply.
In the Advanced Options section, we can schedule a specific remediation time and/or choose to ignore unsupported items.
Next, specify Host Remediation Options. Set power state options, disable removable media, and designate maintenance mode retries here.
Lastly, specify the Cluster Remediation Options. For hosts in a cluster, the remediation process runs in a sequential manner. If you prefer to run the remediation in parallel, indicate that here.
Review selections and click Finish to begin the remediation process.
Progress can be monitored in the Recent Tasks pane. Update Manager performs the following remediation items:
- Enters host in maintenance mode. Migrating virtual machines to other hosts if applicable.
- Applies specified patch.
- Restarts host.
- Re-connects host to vCenter.
- Exits host from maintenance mode.
- Remediates additional host(s) if appropriate.
Once the remediation is complete, the baseline shows compliant.
From early reports, admins will want to patch Guest Operating Systems as well.