Categories
News Technical

How Meltdown and Spectre Impact VMware ESXi Guests

So the cat’s out of the bag and OS vendors have begun issuing patches to plug the latest in Security Vulnerabilities and Exposures made known to the public.

What is Meltdown and Spectre:

Meltdown and Spectre are exploits, operating against computer architecture that’s been designed into Intel chips. They are capable of accessing the protected areas of memory to potentially decode and read information which should normally be protected.  Information which may be considered sensitive data; such as passwords.

The vulnerability may also allow for the potential read of protected memory locations used by the device and applications (including browsers) that store information in the kernel memory, including potentially sensitive data.

 

 

But, I thought OS vendors are and have released patches for this?

For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required. These updates are being given the highest priority by VMware.  Remember sure the virtual CPU will be protected, however it sits onto of a hypervisor which is its own OS.

What to do?

In the recent VMware Security Advisory, the specified patches should be applied for remediation. Its strongly suggested that those using ESXi update as soon as possible.

VMware Patch Numbers for ESXi Versions:

ESXi 6.5 – ESXi650-201712101-SG
ESXi 6.0 – ESXi600-201711101-SG
ESXi 5.5 – ESXi550-201709101-SG

This 5.5 patch only addresses CVE-2017-5715, not CVE-2017-5753

 

Info Links:

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

 

PSA: Don’t delay or skip patching your VMs just because you or your provider already patched the hypervisor. Otherwise you are still vulnerable to Meltdown & Spectre. If you cycle out your cloud instances periodically, make sure your machine images are patched.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.