Valid Fix to be applied for VMSA-2019-0008

patron
patron used Ask the Experts™
on
Regarding VMware Advisory ID |VMSA-2019-0008
https://www.vmware.com/in/security/advisories/VMSA-2019-0008.html

Did checked the KB article -have few queries in mind to confirm with experts so that Fix can be applied if required
For Sequential and Concurrent Attack- Fix to be applied....

[1] Do We need to First Upgrade VC/VCSA  to Fixed Version -which is yet showing as Pending OR if we simply can make changes @Esxi -Advanced Setting - for Value  known as
VMkernel.Boot.hyperthreadingMitigation
?

[2] What all are precautions /prerequisites  if We need to verify for running applications /certificates/SSL in use @VM on different host under VC?

[3] There are Few Host  showing warning with
esx.problem.hyperthreading.unmitigate
-So Can We simply update the Value to fix the issue or nay more prerequisites  required ?

[4] There are Host in VCHost showing Options to enable/ disable fix where we are not able to locate the value to be updated ? while there are host where we can locate n update the value ?
Is It limited to specific version/Patch @VC /Esxi ? Host Not showing Options to enable/ disable fix
Please help if we can plan for fix if it is required  ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
VCSA should always be upgraded to the same or higher level that ESXi so - yes. You should ONLY make that change if you understand that it can redu e performance on your cluster. Have you followed the flowchart ?

If the value is not present add it.

What versions of VCSA and ESXi are you currently on, have you now already patched ?

Have you also updated the firmware and BIOS on your hosts from vendor ?

Are you Host CPUs affected ?
patronTechnical consultant

Author

Commented:
Thanks Andrew

Noting yet patched /impacted  here , but we have received it from security team  to validate then apply Fix if required in Infra for multiple accounts

Here some of host are showing warning
esx.problem.hyperthreading.unmitigate
where VC n Esxi Version is ….

vCenter Server Appliance 6.0.0b Build 2776510 and
ESXi 6.0 EP 15 [U3]

While  We have Few VC(version detail mentioned below) where required value
esx.problem.hyperthreading.unmitigate
is not located @Esxi ?
vCenter Server 6.5 Update 1g Build 8024368
ESXi 6.5 U2 GA Build8294253

Please help If we need to apply the Fix in both scenario as mentioned above ?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Your first need to Update all hosts with Firmware BIOS for your Hosts.

(before you do any host ESXi updates or vCenter Server.).

1. You then need to update to...


vCenter Server 6.5 U3      2019-07-02      Build 14020092
vCenter Server 6.0 U3i 2019-05-14      Build 13638623

FIRST!

and then update ESXi hosts to...

2.  

ESXi-6.0.0-20190504001-standard (Build 13635687)
ESXi-6.5.0-20190702001-standard (Build 13932383)

3. and then checking your performance, before enabling....

VMkernel.Boot.hyperthreadingMitigation

because this disables hyperthreading and can cause performance issues across your cluster if you do it, which checking and running the tools from VMware. (you've been warned, do not just enable!)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

patronTechnical consultant

Author

Commented:
Okay , will follow the Same

Any tool we can use to analyze performance before we go for setting update @Esxi ?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Follow the VMware docs.....it has all the info you need and scripts to run before enabling VMkernel.Boot.hyperthreadingMitigation
patronTechnical consultant

Author

Commented:
Pls share the Doc /URL where we can locate script- tool to fix this

We will plan the upgrade for VC and Esxi ,but we may need some tool to analyse performance before doing the same and any script you have mentioned above ?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Its in the link you posted. If you read through the Kbs
patronTechnical consultant

Author

Commented:
okay ,Thanks.if you have any more expert advice please assist  ,rest we will follow the VMware KB
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
Read the VMware Kbs, it's very important you don't just apply without reading what these patches do by patching security holes in the CPU which could reduce performance.

KB68024 should be thoroughly reviewed to ensure a strong understanding of the Hypervisor-Assisted Guest Mitigations enablement process for MDS and potential CPU capacity impacts.

https://kb.vmware.com/s/article/52085

https://kb.vmware.com/s/article/52245

https://kb.vmware.com/s/article/52337
patronTechnical consultant

Author

Commented:
Thanks
patronTechnical consultant

Author

Commented:
Thanks
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
no problems

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial