How to Fix Spectre and Meltdown in VMware vSphere
Update for Spectre and Meltdown protection in VMware vSphere
Spectre and Meltdown are security vulnerabilities that are now familiar to the VMware community. We blogged about them when they appeared and have also provided updates when VMware updated their patches. It has almost been two months since the last patch update and VMware has released another update. So the saga continues. Intel has recently announced that not all CPU will be fixed by the microcode updates and it's now clear the older CPUs will stay unprotected. Also, it was reported over 130 malware samples which contain the code that exploits the Meltdown security vulnerability.
Demystifying the threat for vSphere
Let's summarize briefly what the security threats are and their associated risks (April 2018):
|What is the threat?||What is threatened?|
|Operating Systems can be compromised and malware can steal data from the memory of other applications.||Any operating system running on CPU from Intel, ARM and some AMD.|
Data Center servers running hypervisors allow malware processes to steal data from another process running on that server.
Malware can access sensitive data from other processes such as passwords, login ID tokens, etc.
Cross-Virtual Machine breach is possible within VMware vSphere ESXi
Data centers which are using real hardware virtualization (including ESXi hosts) without necessary VMware patches and Intel CPU microcode patch applied.
Data center servers hosting containers with a shared Kernel (e.g. Docker) without proper patches applied.
Protecting against Spectre and Meltdown in VMware vSphere
In order to properly block malware attacks on VMware vSphere ESXi and underlying VM operating systems, it is necessary to treat the data center as the whole system, and to protect multiple layers of the IT infrastructure stack:
It is most important to detect these vulnerabilities and identify the specific points of exposure throughout your data center stack. Runecast Analyzer automatically scans your configuration in seconds to determine where you are exposed. It identifies all objects (including affected ESXi hosts, VMs, vCenter instances) that are vulnerable and at risk.
Once you have the report of your vulnerabilities throughout the stack, it is time to fix them. This is done systematically from the management layer through to the host, VM, and guest OS layers.
Runecast Analyzer guides you through the remediation process by providing the most up-to-date information directly from the VMware Knowledge Base. It also shows you which patches you need, and provides the links from where you should retrieve them.
Throughout the remediation process Runecast Analyzer provides the functionality to automatically scan your environment and verifies that you have correctly applied the necessary patching and reconfiguration. When you have finished, you can confirm success with an automated clean scan against the Spectre and Meltdown vulnerabilities to ensure protection against these threats.
Once protected, is there a performance impact?
When Intel released the first patches for Spectre and Meltdown this resulted in noticeable performance slow-down for certain server applications (like database operations). The latest report from VMware says there is up to a 2% CPU performance degradation associated with Meltdown and Spectre patches for virtualized systems. Performance slow-down can be mitigated by upgrading Virtual Hardware to at least v9 (ideally to v11+). Runecast Analyzer will automatically identify affected VMs and give you the knowledge to improve them.
We have just presented a webcast specifically on this subject to address the Spectre and Meltdown threats. It guides you to identify, fix, and verify the successful protection of your specific environment using automation and the very latest knowledge available from VMware.
April 10, 2018
See how many KBs are applicable in your environment