Skip to main content

How to Check and Block the L1TF Vulnerability

Michael M.
Updated

Following the public release of the L1TF vulnerability ("L1 Terminal Fault" or "Foreshadow"), various procedures and patches were published to minimize risk of exposure. In this article, we will show you how you can block this vulnerability.

Note: It is important to understand that the actions below do not fix the vulnerability. The actions describe how to disable hyper-threading on your ESXi hosts. Since the L1TF vulnerability requires hyper-threading to work, disabling it protects your infrastructure from being exploited.

Prerequisites

  • Hyper-threading used on your VMs

Topics

  • Checking and Blocking the L1TF Vulnerability

Checking and Blocking the L1TF Vulnerability

As a reminder:

l1tf_table.png

Note: L1 Terminal Fault - OS (CVE-2018-3620) does not affect VMware hypervisors and requires local access to vCenter/vCSA.

Note: L1 Terminal Fault - SGX (CVE-2018-3615) does not affect VMware hypervisors.

Only SDDC packs are affected by this vulnerability for Hosted Private Cloud and Managed Baremetal.

The mitigation process is described in this VMware article. The procedure is divided into three steps.

Step 1: Update

The vCenter update is managed by OVHcloud. However, it is your responsibility to install the patch for ESXi hosts. This is available in the Update Manager. You will find the list of patches for ESXi hosts in this document.

warningMsg.png

Step 2: Assess Environment

After the ESXi hosts have been updated, the patch has not yet been applied. It is important to be aware of the potential problems listed in the article mentioned above. Additionally, be aware that you could lose some performance as described in this article.

Step 3: Enable

Once you have read about these problems, you can enable the setting that is used to disable hyper-threading by going to the Advanced System Settings.

enableMitigation.png

A filter is available in the top right-hand corner of the window. You will need to do this for each host. To find out more, you can go to step 3 in the "Resolution" section of this article.

Conclusion

Having read this article, you should be able to disable hyper-threading on your ESXi hosts.

Related articles