VMware OS mitigations against CPU speculative execution vulnerabilities

Rackspace continues to evaluate and address a set of speculative execution vulnerabilities affecting certain CPUs. You can find more information about the vulnerabilities in the following locations:

Spectre and Meltdown

Details related to the vulnerabilities can be found in:

Spectre and Meltdown variants 3A and 4 (May 21, 2018)

Details related to the vulnerabilities can be found in:

L1 Terminal Fault (L1TF) or Foreshadow (August 14, 2018)

Details related to the vulnerabilities can be found in:

Mitigation categories

For VMware, mitigation of these vulnerabilities fall into three different categories:

  1. Hypervisor-Specific Mitigation
  2. Hypervisor-Assisted Guest Mitigation
  3. Operating System-Specific Mitigations

Hypervisor-Specific Mitigation

Rackspace has made available ESXi patches up to the following build numbers to help remediate this category:

  • ESXi 6.0 - Build 6921384
  • ESXi 5.5 - Build 7618464

Note: Patching ESXi may result in Hypervisor and VM downtime.

Hypervisor-Assisted Guest Mitigation

VMware previously released microcode updates to address a portion of this category, but pulled those patches from circulation due to instability concerns. Currently, we are awaiting microcode and firmware updates from our hardware vendors.

Note: Patching the microcode and firmware may result in Hypervisor and VM downtime.

Operating System-Specific Mitigations

Currently, normal Rackspace patching processes apply. Rackspace will add vendor patches to the patching schedule as they become available.

VMware also recommends that we upgrade the hardware version of the VM to version 9 at minimum.

Note: Patching at the OS and VM hardware level may result in Virtual Machine downtime.

Patching - ESXi and Guest OS

Currently, patching ESXi and the Guest OS will only cover two of the three categories:

  1. Hypervisor-Specific
  2. Operating System-Specific Mitigations.

Note: Patches to microcode and firmware for Hypervisor-Assisted Guest Mitigations may require further downtime for Hypervisor and Virtual Machines.

Public facing articles

VMware has released the following public-facing articles: