Bytes of virtualization with bits of other technology.

Category: VMware (page 1 of 9)

Spectre/Meltdown Vulnerability – How to Patch VMware vCenter 6.5

As per Security Advisory VMSA-2018-0007, VMware has begun releasing virtual appliance updates to address side-channel analysis due to speculative execution vulnerabilities. One of the first virtual appliances VMware has patched is vCenter 6.5. The latest release, vCenter 6.5U1f, patches the VCSA’s Photon OS to address Spectre-1 (CVE-2018-5753) and Meltdown (CVE-2017-5754) vulnerabilities. Mitigations for Spectre-2 (CVE-2017-5715) are absent from the latest patch as Spectre-1 and Meltdown mitigations were ready to be released; whereas, Spectre-2 is still being prepared.


  • Spectre-1: Bounds Check Bypass (CVE-2018-5753) – Patch 6.5U1f
  • Spectre-2: Branch Target Injection (CVE-2017-5715) – Patch Pending
  • Meltdown: Rogue Data Cache Load Issues CVE-2017-5754) – Patch 6.5U1f

Patch VMware vCenter Appliance from VAMI

For this example, we utilize URL patching to update vCenter 6.5 to 6.5U1f from the vCenter Server Appliance Management Interface. URL patching will go out to the VMware Repository, check for updates, and patch the VCSA to the latest version.

To begin, log into the vCenter Server Appliance Management Interface at https://vcsaIP:5480. From the Navigator, select Update. Under the Check Updates drop-down, select Check Repository.

Continue reading

Spectre Vulnerability – How to Patch VMware ESXi

Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.

As per the initial VMware Security Advisory, the specified patches should be applied for remediation. Remember, these patches remediate known issues. Definitely, watch for additional patches as exploits may continue to surface. If you are needing to patch your ESXi host per the advisory, you can do so through VMware Update Manager (VUM).

Update – VMware has removed patches to address Hypervisor-Assisted Guest Mitigation (VMSA-2018-04).

As a recap, patches have been released to address Hypervisor-Specific Remediation (VMSA-2018-02) and Hypervisor-Assisted Guest Remediation (VMSA-2018-04). For more detail, check out this VMware KB detailing these responses.

VMware Patch Numbers for ESXi Versions (VMSA-2018-02):

  • ESXi 6.5 – ESXi650-201712101-SG
  • ESXi 6.0 – ESXi600-201711101-SG
  • ESXi 5.5 – ESXi550-201709101-SG
    • This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753

VMware Patch Numbers for ESXi Versions (VMSA-2018-04)

  • ESXi 6.5 – ESXi650-201801401-BG, ESXi650-201801402-BG
  • ESXi 6.0 – ESXi600-201801401-BG, ESXi600-201801402-BG
  • ESXi 5.5 – ESXi550-201801401-BG

For this example, we will be patching VMware ESXi 6.5 with patch ESXi650-201712101-SG. Additional patches can be applied in the same manner. Read the release notes or security advisories before patching as other components may need to be patched first.

Continue reading

Downgrade VMware VM Hardware Version

A few weeks back, we discussed how to downgrade ESXi versions. These downgrades or rollbacks will often time bring compatibility issues into play. One such issue is the compatibility between the ESXi version and virtual machine hardware version. If a virtual machine with a higher version of hardware resides on an unsupported (lower) ESXi version, you will receive an error and not be able to start the machine. The error will state – This virtual machine uses hardware version x, which is no longer supported. Upgrade is recommended.

Hardware Version Unsupported

To address such issues, VMware supports three ways of downgrading virtual machine hardware.

  • Revert to a pre-upgrade snapshot.
  • Convert the virtual machine with VMware vCenter Converter Standalone and specify the appropriate destination hardware version.
  • Create a new VM with a compatible hardware version and attach existing disks.

In this post, we will perform the latter; specifically, downgrading virtual machine hardware 13 to 11.

Continue reading

How to Downgrade/Roll Back ESXi 6.5

Occasionally, an issue or bug will require admins to revert to a previous build or version of ESXi. In the event you patch your hosts (as opposed to fresh installs), it is possible to rollback to a prior installed version via the GUI. Rollbacks should not be taken lightly. If you are reverting in a production environment, discuss options with support first.

A few housekeeping items before we jump into the rollback process.

Compatibility – If you are leveraging new features introduced in vSphere 6.5, ensure you check compatibility against vSphere 6.0. Two main features to be cognizant of when reverting from 6.5 to 6.0 are VMFS and virtual machine hardware versions.

  • VMFS 6: VMFS 6 was introduced with vSphere 6.5. However, vSphere 6.0 utilized VMFS 5. If you created a VMFS 6 version with ESXi 6.5, you will not be able to access the datastore after rollback.
  • VM Hardware Version: vSphere 6.5 also introduced version 13 virtual machine hardware. Version 13 hardware is not compatible with ESXi 6.0. Version 11 or lower is compatible.  However, there are a few supported options for downgrading virtual machine hardware versions.

Back Up Host Configuration – Before making any changes, back up the ESXi Configuration.

Continue reading

Install Nested ESXi 6.5 on Ravello

Recently, I had the opportunity to test a nested lab deployment on Oracle’s Ravello Cloud Service. If you are unfamiliar with Oracle’s Ravello offering, it enables you to deploy your VMware or KVM workloads on Oracle Public Cloud, AWS, or Google Cloud. Ravello seamlessly runs your environment on top of their own nested hypervisor, HVX. HVX, in turn, is run on resources provisioned by Oracle, AWS, or Google Cloud. Utilizing Ravello’s HVX hypervisor allows the underlying cloud infrastructure to behave like your traditional datacenter; thus, enabling you to run your VMware workloads without modification.

Due to additional layers of abstraction, nested environments are prone to performance bottlenecks compared to bare metal offerings like VMware Cloud on AWS. To address this issue, Oracle recently announced the ability to run HVX on top of bare metal servers with the Oracle Cloud Infrastructure (OCI); therefore, eliminating a layer of abstraction.

Ravello on OCI or AWS/Google Cloud

Depending on the cloud region used for deployment, one of three nested virtualization approaches are used for running your workload; software-assisted, hardware-assisted, and direct on bare metal.

Software-assisted nested virtualization is Ravello’s traditional approach to running workloads on AWS or Google Cloud. In these instances, the underlying hardware virtualization extensions are not typically exposed to Ravello. Therefore, HVX uses binary translation with direct execution to run workloads.

Hardware-assisted nested virtualization leverages exposed virtualization extensions on the underlying cloud hardware. Running on Oracle’s Cloud Infrastructure (OCI), HVX has complete access to these hardware extensions, which increases performance over software-assisted nested virtualization.

Oracle Cloud Infrastructure (OCI) also supports the ability to run directly on bare metal servers. This results in increased performance as there is no need for any additional software or hardware translations.

Regardless of region or performance, Ravello provides a variety of use-cases for your workloads including development, testing, sales demos, POCs, and even VCAP lab preparations.

In this post, we are going to install VMware ESXi 6.5 on Ravello’s Cloud Service for testing purposes. The ability to run additional hypervisors (Nested²) such as VMware ESXi, KVM, or Hyper-V is beneficial in testing or lab prep scenarios.

Continue reading

Older posts

© 2018 VirtuBytes

Theme by Anders NorenUp ↑