For those who were responding quickly to Meltdown and Spectre by applying security patches to their ESXi environment, it can be a bit frustrating to know that VMware pulled those packages down few days after they were released.
This is related to a reboot issue in the recent CPU microcode updates released by Intel, and both vendors aks for some time to provide a revised version of firmware.
Currently, VMware urges to apply the latest patches (released on January 9, 2018) to vCenter Server and VCSA as follows:
- VMware vCenter Server 6.5 Update 1e,
- VMware vCenter Server 6.0 Update 3d,
- VMware vCenter Server 5.5 Update 3g.
More information (and possibly updates) will come next week.
Meanwhile, I would leave here a few more articles that are worth reading:
- Firmware Updates And Initial Performance Data For Data Center Systems,
- VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown),
- Hypervisor-Assisted Guest Mitigation for Branch Target Injection.
25/01/2018 – Update 1: Two more articles that seem to be quite helpful are as follows:
- VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown),
- Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking).
09/02/2018 – Update 2: VMware released a new security advisory (VMSA-2018-0007) in regards to mitigating CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 in VMware Virtual Appliances.
12/02/2018 – Update 3: Another great summary in regards to the subject: Meltdown and Spectre: far from the solution?