So Dell EMC have finally released an update to VxRail that fixes the Intel vulnerability which Intel disclosed last month…. Software version 4.0.520 and 4.5.218….
I know a lot of customers have been asking why it’s taken so long, but they have to understand that the VxRail is a turnkey appliance which means Dell EMC and VMware do a whole bunch of testing and validation to ensure any patches/upgrades do not impact the end-user. VxRail’s update process is fully automated and the validation ensures that end-users can be reassured that when they upload the update file and hit ‘install’ that they will go from one good known state to another!
VxRail Appliance software 4.0.520 contains vSphere 6.0 Express Patch 15 / Upgrade
3h which addresses the L1 Terminal Fault vulnerability.
VxRail 4.5.218 contains vSphere 6.5 EP8/U2c which addresses the L1 Terminal Fault vulnerability.
Refer to VMware KB reference 55636 for a centralized source of information. A high-level introduction follows:
- CVE-2018-3646 (L1 Terminal Fault – VMM), requires Hypervisor-Specific Mitigations for hosts running on Intel hardware.
- Sequential-Context attack vector: mitigated through a vSphere update process including vCenter and ESXi. Mitigation enabled by default and does not impose a significant performance impact.
- Concurrent-context attack vector: mitigated by enabling a new advanced configuration option hyperthreading Mitigation included in the update. This option also known as the ESXi Side-Channel-Aware Scheduler. The initial version of this feature will only schedule the hypervisor and VMs on one logical process of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default. Please take time to analyze your environment’s capacity prior to enabling the mitigation.
- For technical details please see VMware KB reference 55806.
- CVE-2018-3620 (L1 Terminal Fault – OS)
- CVE-2018-3615 (L1 Terminal Fault – SGX)
- Does not affect VxRail and VMware products. See VMware KB reference 54913.
Upgrades should be available to download and run…. Alternatively speak to your Dell EMC representative (or contact me or my company: MTI)