As I’m sure most of you know by now, several vulnerabilities were discovered recently, called Spectre and Meltdown. These are also known as Side-Channel Analysis vulnerabilities. There are different variations of these vulnerabilities and they affect almost every processor released in the last 20 years! This is not a Microsoft or Intel or Apple issue. This is also not just limited to servers and desktops, but may affect storage arrays or any other appliances as this is an issue with Intel, AMD, and ARM chips. As you can see this is everybody’s issue.
These vulnerabilities exploit the fundamental design of most modern processors and allow malware or hackers to access protected memory and potentially steal sensitive data. The good think is that if you keep your systems patched, most these exploits were addressed by Microsoft, Apple, VMware, and other software vendors. If you have not updated all of your servers recently, I strongly suggest that you do.
Unfortunately, one of these vulnerabilities could not be addressed through the operating system software and requires system ROM updates. These were also released almost immediately but Intel found that these could cause system instability. As of this week these issues have been resolved and the updates should be applied. Below I have provided links for HPE and Dell, but all system vendors should have new packages available.
vCenter EVC Issue
One issue that I personally have encountered seems to be related to the patching for these issues. After an upgrade to vCenter 6.5 Build 7515524 and the latest version of ESXi, I could not add hosts to cluster with Enhanced vMotion Compatibility (EVC) enabled. This was a requirement as a new host was added with a newer processor model. After much research I finally did find a workaround. A single host had to be added to the cluster without EVC enabled. With that host still in maintenance mode, EVC could then be enabled and the additional host could be added normally after that.
As with most exploits, antivirus software is your first line of defense. Unfortunately, it appears that some AV vendors makes unsupported calls to Windows kernel memory that would be incompatible with the new security patches. Any AV software will need to be updated so that it sets a registry key to verify that complies. Without this setting the new security patches cannot be downloaded and applied. If there is no AV software installed, or an agentless product like VMware NSX Endpoint/vSheild is used, the registry key will need to be set manually. The link below provides more detail.
As recently as this week additional derivatives of these vulnerabilities have been announced so this is not over. The fixes will continue to be released for the foreseen future so keep your operating systems up to date and check your vendor support sites on a regularly for additional updates. But be aware that these fixes have not been without there own issues. The initial CPU patch that was released caused some system instability issues and had to be withdrawn and the new patch affects performance negatively. Test as much as possible before rolling these out to production but they will be required to insure a secure environment.