VMware released patches against Spectre-2 vulnerability. In order to protect against branch target injection vulnerability (also known as Spectre-2), you need to patch the full stack, ranging from vCenter, down to ESXi and the operating system. Don’t forget to also update the firmware for your hardware.
For vCenter, VMware released few days ago the corresponding patches:
- vCenter 6.5 U1g (see article New Security Patch – vCenter Server 6.5 U1g)
- vCenter 6.0 U3e
- vCenter 5.5 U3h
Going down to ESXi level, VMware released these patches:
- ESXi 6.5 – ESXi650-201803401-BG and ESXi650-201803402-BG
- ESXi 6.0 – ESXi600-201803401-BG and ESXi600-201803402-BG
- ESXi 5.5 – ESXi550-201803401-BG and ESXi550-201803402-BG
In this article I will focus on ESXi 6.5 patches.
ESXi650-201803401-BG updates the esx-base, esx-tboot, vsan and vsanhealth VIBs. ESXi650-201803402-BG updates the cpu-microcode VIB. Both patches provide parts of the hypervisor-assisted guest mitigation of CVE-2017-5715 for guest operating systems (as described in VMware Security Advisory VMSA-2018-0004.3).
How to Apply ESXi Patches for Spectre
I will write now about the main steps of updating the ESXi with the Spectre patches using Update Manager.
I will check first the current installed version. As you can see below I am running ESXi 6.5 build 6765664. My target version is ESXi 6.5 build 7967591.
I will go then to Update Manager and I will create a new host baseline. I will add the 2 patches specified above (ESXi650-201803401-BG and ESXi650-201803402-BG, release date 20 March 2018).
I will then attach the new baseline to my Lab cluster consisting of 2 ESXi hosts. As you can see below, both hosts are non-compliant.
I will then start the remediation process for my Lab cluster.
The ESXi servers are placed in maintenance one by one, then patches are installed and servers rebooted. After the remediation is completed, I have both servers compliant with the attached baseline.
As expected, the new ESXi version is 6.5 build 7967591.
Happy patching 🙂