So Dell EMC have finally released an update to VxRail that fixes the Intel vulnerability which Intel disclosed last month…. Software version 4.0.520 and 4.5.218….
I know a lot of customers have been asking why it’s taken so long, but they have to understand that the VxRail is a turnkey appliance which means Dell EMC and VMware do a whole bunch of testing and validation to ensure any patches/upgrades do not impact the end-user. VxRail’s update process is fully automated and the validation ensures that end-users can be reassured that when they upload the update file and hit ‘install’ that they will go from one good known state to another!
VxRail Appliance software 4.0.520 contains vSphere 6.0 Express Patch 15 / Upgrade
3h which addresses the L1 Terminal Fault vulnerability.
VxRail 4.5.218 contains vSphere 6.5 EP8/U2c which addresses the L1 Terminal Fault vulnerability.
Refer to VMware KB reference 55636 for a centralized source of information. A high-level introduction follows:
CVE-2018-3646 (L1 Terminal Fault – VMM), requires Hypervisor-Specific Mitigations for hosts running on Intel hardware.
Sequential-Context attack vector: mitigated through a vSphere update process including vCenter and ESXi. Mitigation enabled by default and does not impose a significant performance impact.
Concurrent-context attack vector: mitigated by enabling a new advanced configuration option hyperthreading Mitigation included in the update. This option also known as the ESXi Side-Channel-Aware Scheduler. The initial version of this feature will only schedule the hypervisor and VMs on one logical process of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default. Please take time to analyze your environment’s capacity prior to enabling the mitigation.
For technical details please see VMware KB reference 55806.
CVE-2018-3620 (L1 Terminal Fault – OS)
Local privilege escalation, requires Operating System-Specific Mitigations. vCSA (and PSC) 6.x are impacted, workaround is available.
Back end of February I presented a webinar with my colleague, Andrew Tang, around Key Challenges and Considerations for Securing Hyper-Converged Infrastructure.
The webinar has been uploaded for public consumption by the marketing team at MTI Technology.
As I mentioned previously in my blog, I don’t really touch upon product in this webinar as the last thing customers want is to be shoehorned into a certain vendor product… instead I hope the webinar gives enough information about what HCI is in general, why customers should be looking at HCI during their next infrastructure refresh, and more importantly what to consider when evaluating a HCI solution!
One of the items that wasn’t addressed in the original fix was Guest OS leakage mitigation between processes within the VM – this required CPU/BIOS microcode updates which were not yet available from Intel.
Those updates were made available from Intel at the beginning of April and it’s taken a while for it to filter through to vSphere and VxRail – the delay is down to VxRail being a fully turn-key appliance which means all software/firmware updates from Dell EMC are fully tested and validated before release.
VxRail Appliance software 4.0.402 and 4.5.152 contains the Intel microcode fix to complete the resolution of the speculative execution security issues.
VxRail Appliance software 4.0.402 includes fixes for the following security vulnerabilities:
CVE-2017-5753 (Variant 1: bounds check bypass, also known as Spectre) – Complete fix in 4.0.401 and above.
CVE-2017-5715 (Variant 2: branch target injection, also known as Spectre):
Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM – Complete fix in 4.0.401 and above.
Guest OS leakage mitigation between processes within the VM requires BIOS or CPU microcode update released by Intel and included in this release – Complete fix with either BIOS or CPU microcode update automatically applied through the VxRail 4.0.402 automated software upgrade. No manual BIOS update required for any supported VxRail hardware platforms.
CVE-2017-5754 (Variant 3: rogue data cache load, also known as Meltdown): Does not affect VxRail Appliance.
NOTE: Manual steps are required after the VxRail Appliance software upgrade to 4.0.402 to power cycle the VMs for branch target injection to take effect. More info available within this KB article: https://support.emc.com/kb/519601
Also note that this update does not patch Guest OS!
So last Thursday I was asked by the marketing peeps at my company, MTI Technology, to run a webinar with my colleague, Andrew Tang, around what Hyper-Converged Infrastructure is all about, why it’s suddenly become so popular within the industry, and how best to secure a HCI solution.
The webinar has now been uploaded for public consumption…. and since it kind of went ok – apart from me suffering from a runny nose throughout (sorry for all the sniffing) – I’ve decided to blog about the webinar for you all to watch.
I don’t really touch upon product in this webinar, as the last thing customers want is to be shoehorned into a certain vendor product… instead I hope the webinar gives enough information about what HCI is in general, why customers should be looking at HCI during their next infrastructure refresh, and more importantly what to consider when evaluating a HCI solution!
So Dell EMC have finally released the patches for their VxRail appliances, I know many of my customers were asking about these patches – in a way it’s good it was slightly delayed given how many normal VMware customers experienced issues when patching and how one patch was pulled by VMware!
The good thing about VxRail is that any software patches or updates released have been tried and tested by the Dell EMC CPSD engineering team, so they should be ready for roll out with minimum disruption!
It’s worth noting that at present this patch only contains 2 of the 3 required fixes for Intel to address the Speculative Execution vulnerability (Spectre – Meltdown doesn’t really affect VMware and hence VxRail). The 3rd fix has not yet been released by Intel and Dell EMC basically decided they couldn’t wait any longer as Intel drag their heels!