Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Intel disclosed new Speculative Side-Channel L1 Terminal Fault (L1FT) vulnerabilities that impact processors used in the HPE ConvergedSystem CS7x0 solutions. L1FTvulnerabilities, when exploited for malicious purposes, have the potential to allow the improper gathering of sensitive data. The Speculative execution side-channel method which Intel is referring to as L1TF has two currently known attack vectors. Sequential-Context Concurrent-Context A malicious VM impacted by Sequential Context Vector can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core. And a VM impacted by Concurrent-context attack vector can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core. To mitigate these vulnerabilities, HPE ConvergedSystem CS7x0 solution should applying the L1FT VMware patches and setting changes in this document.
Any of the following: HPE ConvergedSystem 700x 1.0 for VMware (formerly HPE VirtualSystem VS3 2.2) (721223-B21) HPE ConvergedSystem 700x 1.1 for VMware (J0H72A) HPE ConvergedSystem 700 2.0 for VMware (K9T75A) HPE ConvergedSystem 750 3.x for Synergy and VMware Kit Tracking (Q8A80A)
To mitigate the L1TF vulnerabilities, the CS700 should be running the August 2018 compatibility matrix and the CS750 should be running the September 2018 compatibility matrix before applying the following two remediation steps. Step 1 applies patches to remediate the Sequential-Context and is enabled by default. Step 2 is optional and needs to be enabled after step 1 has been completed. Step 2 remediates the Concurrent-Context by enabling the ESXi Side-Channel-Aware Scheduler which will schedule on only one logical processor (Hyper-Thread) of a Hyper-Thread-enabled core. As a result of enabling Side-Channel-Aware Scheduler, available host capacity may be reduced. It is recommended to review the Planning Phase section in Vmware KB https://kb.vmware.com/s/article/55806 and assess your environment using the HTA migration tool https://kb.vmware.com/s/article/56931 before enabling Side-Channel-Aware Scheduler. Step 1: Sequential-Context remediation Solutions using vSphere 6.0u3 Update vCenter patch first before updating ESXi hosts, by applying VMware-vCenter-Server-Appliance-6.0.0.30800-9448190-patch-FP.iso patch to both the VCSA and PSC appliances Apply ESXi600-201808001.zip patch to each of the ESXi hosts Solution using vSphere 6.5u2 Update vCenter patch first before updating ESXi hosts, by applying VMware-vCenter-Server-Appliance-6.5.0.22000-9451637-patch-FP.iso patch to both the VCSA and PSC appliances Apply ESXi650-201808001.zip patch to each of the ESXi hosts Step 2:Concurrent-Context remediation(Optional) Complete assessment using HTA migration tool Enable the ESXi Side-Channel-Aware Scheduler, please follow the below steps Connect to the vCenter Server using either the vSphere Web or vSphere Client. Select an ESXi host in the inventory. Click the Manage (6.0) or Configure (6.5) tab. Click the Settings sub-tab (6.0). Under the System heading, click Advanced System Settings. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation Select the setting by name and click the Edit pencil icon (6.0) or Edit button (6.5). Change the configuration option to true (default: false). On 6.0 select Yes in the dropdown menu. On 6.5 click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation. Check Enabled. Click OK. Repeat steps on all ESXi hosts