Link to home
Start Free TrialLog in
Avatar of IKtech
IKtech

asked on

ESXi 6.5 Meltdown and Spectre mitigation

I have a dell poweredge r620 that is running some windows server guests (hypervisor is ESXi 6.5 build 7388607).  I was under the impression that the combination of the hypervisor build and the latest bios would take care of it, but running some scripts from GitHub on the hypervisor and the speculationcontrolsettings report on the guests would lead me to believe there is still some work to do.  Both report the vulnerabilities still exist.

When upgrading the hypervisor I used command line "esxcli software vib update path\esxi650-20171201.zip" to get to the build number listed above.  Can any experts out there give me an idea of what I could be overlooking?
Avatar of Indyrb
Indyrb
Flag of United States of America image
Depends on the poweredge.

There is both a bios reversion update. like the R730 2.7.1 (not sure if R620s has a new revision or not) next is the esxi/vmware cpu-microcode update
Also did you download the update from dell or vmware, as they dell has some of the poweredge vibs
Avatar of IKtech
IKtech

ASKER

downloaded from VMware.  I downloaded an iso from dell yesterday for 6.5.0 u1 and tried to update using the disk but I got stuck in the GUI when it barked about ghettovcb backups...  When I did this from command line I had to use the -force switch.  Maybe I can get a .zip from dell and try from command line again.  Do you think that would get the microcode update?

esxi/vmware cpu-microcode update sounds like the missing piece...
Avatar of Indyrb
Indyrb
Flag of United States of America image
You can download from dell and choose other format and select .zip
Avatar of Indyrb
Indyrb
Flag of United States of America image
Could even use update manager
Add dell depo
Add image to baseline
Avatar of IKtech
IKtech

ASKER

this is on a free ESXi hypervisor (no vcenter server).  I suppose i'll have to try my luck with the .zip from dell and from command line

Would you go with esxcli software vib update or esxcli software vib install?
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image
your issues is because you've got foreign vibs installed!!!

Before you get excited patching, have you checked the level of Risk, if this effects you?

You will also need BIOS 2.6.1!

and beware of warnings if it slows down your servers!

Patching is simple....

Enter maintenance mode, which means VMs OFF, or moved to another host.

If you ESXi server has internet access, from SSH or console type

esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile update -p ESXi-6.5.0-20171204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
esxcli network firewall ruleset set -e false -r httpClient

Open in new window


Wait, it will download and apply patch from internet, and then reboot server!
Avatar of IKtech
IKtech

ASKER

ive got 2.6.1 bios installed... I've also got the recommended build from VMware.  Will the update process you recommend be different then downloading the zip file I mentioned and using "esxcli software vib update path\esxi650-20171201.zip" command from ssh?

I'm under the impression that if you have an Intel chip that is known to have these vulnerabilities, you are at risk...

Thoughts?
ASKER CERTIFIED SOLUTION
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial