Spectre NG (CVE-2018-3639 and CVE-2018-3640)

Spectre NG (CVE-2018-3639 and CVE-2018-3640)

A short wrapup to the latest Intel security leaks for VMware Administrators:

Once again we have to patch the whole stack:

  1. Update vCenter
  2. CPU Microcode (BIOS Update)
  3. VMware ESXi Hypervisor Patch
  4. Check if the new CPU flags are mapped to a new VM
  5. All VMs – Shutdown and start (reboot is not enough!)
  6. Update Guest OS

Get some hints about EVC-Mode and how to proof the complete stack …

EVC-Mode

In my environment with:

  • vCenter 6.5 U2b
  • ESXi 6.5 U2 +
    • ESXi650-201806401-BG
    • ESXi650-201806402-BG

My mixed Dell Clusters with R740 + R730 (EVC Mode Intel® ‘Broadwell’-Generation) didn’t brought the new CPU flag “cpuid.SSBD” to a new VM. I had to disable and re-enable the EVC Mode. After that step it worked. Regarding to VMware KB 5111 EVC should map the flags automatically in a complete patched Cluster. 

 

How to proof?

 

Other Useful links:

VMware Security Advisories VMSA-2018-0012.1

VMware KB 54951

 

Stay secure 😉

One thought on “Spectre NG (CVE-2018-3639 and CVE-2018-3640)

  1. With latest vSphere patches released (https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670d-release-notes.html) last month (I think on 14th Aug), once EVC cluster is completely patched, new cpu bits will be automatically visible on cluster level.
    If you have still not upgraded to these new patches, below workarounds are better than enable, disable of EVC cluster.

    Just refresh the EVC mode (disable, enable NOT required) i.e. navigate to the Cluster >> Under the Configure tab, select VMware EVC. Click Edit to bring up the current EVC selection, then click OK. (No change to current EVC mode or disablement required)
    OR
    Once the last host inside the cluster is upgraded, move that host (or any host inside the cluster) outside the cluster and put it back immediately into cluster, as part of this operation, EVC gets refreshed.
    I would prefer #1 workaround.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.