VMware released patches against Spectre-2 vulnerability. In order to protect against branch target injection vulnerability (also known as Spectre-2), you need to patch the full stack, ranging from vCenter, down to ESXi and the operating system. Don’t forget to also update the firmware for your hardware.
For vCenter, VMware released few days ago the corresponding patches:
- vCenter 6.5 U1g (see article New Security Patch – vCenter Server 6.5 U1g)
- vCenter 6.0 U3e
- vCenter 5.5 U3h
Going down to ESXi level, VMware released these patches:
- ESXi 6.5 – ESXi650-201803401-BG and ESXi650-201803402-BG
- ESXi 6.0 – ESXi600-201803401-BG and ESXi600-201803402-BG
- ESXi 5.5 – ESXi550-201803401-BG and ESXi550-201803402-BG
In this article I will focus on ESXi 6.5 patches.
ESXi650-201803401-BG updates the esx-base, esx-tboot, vsan and vsanhealth VIBs. ESXi650-201803402-BG updates the cpu-microcode VIB. Both patches provide parts of the hypervisor-assisted guest mitigation of CVE-2017-5715 for guest operating systems (as described in VMware Security Advisory VMSA-2018-0004.3).