ESXi 6.5 Meltdown and Spectre mitigation

I have a dell poweredge r620 that is running some windows server guests (hypervisor is ESXi 6.5 build 7388607).  I was under the impression that the combination of the hypervisor build and the latest bios would take care of it, but running some scripts from GitHub on the hypervisor and the speculationcontrolsettings report on the guests would lead me to believe there is still some work to do.  Both report the vulnerabilities still exist.

When upgrading the hypervisor I used command line "esxcli software vib update path\esxi650-20171201.zip" to get to the build number listed above.  Can any experts out there give me an idea of what I could be overlooking?
LVL 3
IKtechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IndyrbCommented:
Depends on the poweredge.

There is both a bios reversion update. like the R730 2.7.1 (not sure if R620s has a new revision or not) next is the esxi/vmware cpu-microcode update
Also did you download the update from dell or vmware, as they dell has some of the poweredge vibs
0
IKtechAuthor Commented:
downloaded from VMware.  I downloaded an iso from dell yesterday for 6.5.0 u1 and tried to update using the disk but I got stuck in the GUI when it barked about ghettovcb backups...  When I did this from command line I had to use the -force switch.  Maybe I can get a .zip from dell and try from command line again.  Do you think that would get the microcode update?

esxi/vmware cpu-microcode update sounds like the missing piece...
0
IndyrbCommented:
You can download from dell and choose other format and select .zip
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

IndyrbCommented:
Could even use update manager
Add dell depo
Add image to baseline
0
IKtechAuthor Commented:
this is on a free ESXi hypervisor (no vcenter server).  I suppose i'll have to try my luck with the .zip from dell and from command line

Would you go with esxcli software vib update or esxcli software vib install?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
your issues is because you've got foreign vibs installed!!!

Before you get excited patching, have you checked the level of Risk, if this effects you?

You will also need BIOS 2.6.1!

and beware of warnings if it slows down your servers!

Patching is simple....

Enter maintenance mode, which means VMs OFF, or moved to another host.

If you ESXi server has internet access, from SSH or console type

esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile update -p ESXi-6.5.0-20171204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
esxcli network firewall ruleset set -e false -r httpClient

Open in new window


Wait, it will download and apply patch from internet, and then reboot server!
0
IKtechAuthor Commented:
ive got 2.6.1 bios installed... I've also got the recommended build from VMware.  Will the update process you recommend be different then downloading the zip file I mentioned and using "esxcli software vib update path\esxi650-20171201.zip" command from ssh?

I'm under the impression that if you have an Intel chip that is known to have these vulnerabilities, you are at risk...

Thoughts?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
The commands above are quicker because it downloads from the internet and patches!

So no need to download, and then upload to host via SCP, and then apply...

I'm under the impression that if you have an Intel chip that is known to have these vulnerabilities, you are at risk...

Have you read what the  vulnerabilities is ?

lets just say, many Clients, and Hosting Companies out there, and at present they have no bios for their servers yet!!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.