IKtech
asked on
ESXi 6.5 Meltdown and Spectre mitigation
I have a dell poweredge r620 that is running some windows server guests (hypervisor is ESXi 6.5 build 7388607). I was under the impression that the combination of the hypervisor build and the latest bios would take care of it, but running some scripts from GitHub on the hypervisor and the speculationcontrolsettings report on the guests would lead me to believe there is still some work to do. Both report the vulnerabilities still exist.
When upgrading the hypervisor I used command line "esxcli software vib update path\esxi650-20171201.zip" to get to the build number listed above. Can any experts out there give me an idea of what I could be overlooking?
When upgrading the hypervisor I used command line "esxcli software vib update path\esxi650-20171201.zip"
ASKER
downloaded from VMware. I downloaded an iso from dell yesterday for 6.5.0 u1 and tried to update using the disk but I got stuck in the GUI when it barked about ghettovcb backups... When I did this from command line I had to use the -force switch. Maybe I can get a .zip from dell and try from command line again. Do you think that would get the microcode update?
esxi/vmware cpu-microcode update sounds like the missing piece...
esxi/vmware cpu-microcode update sounds like the missing piece...
You can download from dell and choose other format and select .zip
Could even use update manager
Add dell depo
Add image to baseline
Add dell depo
Add image to baseline
ASKER
this is on a free ESXi hypervisor (no vcenter server). I suppose i'll have to try my luck with the .zip from dell and from command line
Would you go with esxcli software vib update or esxcli software vib install?
Would you go with esxcli software vib update or esxcli software vib install?
your issues is because you've got foreign vibs installed!!!
Before you get excited patching, have you checked the level of Risk, if this effects you?
You will also need BIOS 2.6.1!
and beware of warnings if it slows down your servers!
Patching is simple....
Enter maintenance mode, which means VMs OFF, or moved to another host.
If you ESXi server has internet access, from SSH or console type
Wait, it will download and apply patch from internet, and then reboot server!
Before you get excited patching, have you checked the level of Risk, if this effects you?
You will also need BIOS 2.6.1!
and beware of warnings if it slows down your servers!
Patching is simple....
Enter maintenance mode, which means VMs OFF, or moved to another host.
If you ESXi server has internet access, from SSH or console type
esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile update -p ESXi-6.5.0-20171204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
esxcli network firewall ruleset set -e false -r httpClient
Wait, it will download and apply patch from internet, and then reboot server!
ASKER
ive got 2.6.1 bios installed... I've also got the recommended build from VMware. Will the update process you recommend be different then downloading the zip file I mentioned and using "esxcli software vib update path\esxi650-20171201.zip" command from ssh?
I'm under the impression that if you have an Intel chip that is known to have these vulnerabilities, you are at risk...
Thoughts?
I'm under the impression that if you have an Intel chip that is known to have these vulnerabilities, you are at risk...
Thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is both a bios reversion update. like the R730 2.7.1 (not sure if R620s has a new revision or not) next is the esxi/vmware cpu-microcode update
Also did you download the update from dell or vmware, as they dell has some of the poweredge vibs