VMware Released ESXi Patches for Spectre

VMware released patches against Spectre-2 vulnerability. In order to protect against branch target injection vulnerability (also known as Spectre-2), you need to patch the full stack, ranging from vCenter, down to ESXi and the operating system. Don’t forget to also update the firmware for your hardware.

For vCenter, VMware released few days ago the corresponding patches:

Going down to ESXi level, VMware released these patches:

  • ESXi 6.5 – ESXi650-201803401-BG and ESXi650-201803402-BG
  • ESXi 6.0 – ESXi600-201803401-BG and ESXi600-201803402-BG
  • ESXi 5.5 – ESXi550-201803401-BG and ESXi550-201803402-BG

In this article I will focus on ESXi 6.5 patches.

ESXi650-201803401-BG updates the esx-base, esx-tboot, vsan and vsanhealth VIBs. ESXi650-201803402-BG updates the cpu-microcode VIB. Both patches provide parts of the hypervisor-assisted guest mitigation of CVE-2017-5715 for guest operating systems (as described in VMware Security Advisory VMSA-2018-0004.3).

How to Apply ESXi Patches for Spectre

I will write now about the main steps of updating the ESXi with the Spectre patches using Update Manager.

If you want to see step-by-step instructions, you can check How to Update ESXi 6.5 with Update Manager. Alternatively, if you prefer command line, check How to Update ESXi 6.5 with Command Line.

I will check first the current installed version. As you can see below I am running ESXi 6.5 build 6765664. My target version is ESXi 6.5 build 7967591.

ESXi 6.5 build 6765664
ESXi 6.5 build 6765664

I will go then to Update Manager and I will create a new host baseline. I will add the 2 patches specified above (ESXi650-201803401-BG and ESXi650-201803402-BG, release date 20 March 2018).

Spectre Patches
Spectre Patches

I will then attach the new baseline to my Lab cluster consisting of 2 ESXi hosts. As you can see below, both hosts are non-compliant.

Spectre Patches Baseline
Spectre Patches Baseline

I will then start the remediation process for my Lab cluster.

Lab Cluster Remediation
Lab Cluster Remediation

The ESXi servers are placed in maintenance one by one, then patches are installed and servers rebooted. After the remediation is completed, I have both servers compliant with the attached baseline.

Spectre Patches Baseline Compliance
Spectre Patches Baseline Compliance

As expected, the new ESXi version is 6.5 build 7967591.

ESXi 6.5 build 7967591
ESXi 6.5 build 7967591

Happy patching 🙂

Constantin Ghioc

I usually play with vRealize Automation, vRealize Orchestrator and different AWS tools. In my other life, I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply

Your email address will not be published. Required fields are marked *