Following the public release of the L1TF vulnerability ("L1 Terminal Fault" or "Foreshadow"), various procedures and patches were published to minimize risk of exposure. In this article, we will show you how you can block this vulnerability.
Note: It is important to understand that the actions below do not fix the vulnerability. The actions describe how to disable hyper-threading on your ESXi hosts. Since the L1TF vulnerability requires hyper-threading to work, disabling it protects your infrastructure from being exploited.
Prerequisites
- Hyper-threading used on your VMs
Topics
- Checking and Blocking the L1TF Vulnerability
Checking and Blocking the L1TF Vulnerability
As a reminder:
Note: L1 Terminal Fault - OS (CVE-2018-3620) does not affect VMware hypervisors and requires local access to vCenter/vCSA.
Note: L1 Terminal Fault - SGX (CVE-2018-3615) does not affect VMware hypervisors.
Only SDDC packs are affected by this vulnerability for Hosted Private Cloud and Managed Baremetal.
The mitigation process is described in this VMware article. The procedure is divided into three steps.
Step 1: Update
The vCenter update is managed by OVHcloud. However, it is your responsibility to install the patch for ESXi hosts. This is available in the Update Manager. You will find the list of patches for ESXi hosts in this document.
Step 2: Assess Environment
After the ESXi hosts have been updated, the patch has not yet been applied. It is important to be aware of the potential problems listed in the article mentioned above. Additionally, be aware that you could lose some performance as described in this article.
Step 3: Enable
Once you have read about these problems, you can enable the setting that is used to disable hyper-threading by going to the Advanced System Settings.
A filter is available in the top right-hand corner of the window. You will need to do this for each host. To find out more, you can go to step 3 in the "Resolution" section of this article.
Conclusion
Having read this article, you should be able to disable hyper-threading on your ESXi hosts.