SlideShare a Scribd company logo

VMware response to L1TF (CVE-2018-3646) in vSphere

Download as DOCX, PDF
Wafa Hammami
Wafa Hammami

This document provides information and mitigation steps for CVE-2018-3646 (L1 Terminal Fault - VMM) on VMware vSphere. It describes the vulnerability, which allows a malicious VM to infer privileged information from the hypervisor or other VMs on the same physical core. It outlines a three phase mitigation process: 1) Apply updates and patches, 2) Assess environment impact, 3) Enable the ESXi Side-Channel-Aware Scheduler which schedules VMs on one logical processor per core and may impact performance.

Engineering
1 of 7
VMware response to ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere: CVE-2018-3646 (55806) Last Updated: 5/2/2019Categories: Security 34 Symptoms This article documents the Hypervisor-Specific Mitigations required to address CVE-2018-3646 (L1 Terminal Fault - VMM) in vSphere. The Update History section of this article will be revised if there is a significant change. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories. Introduction to CVE-2018-3646 Intel has disclosed details on a new class of CPU speculative-execution vulnerabilities known collectively as “L1 Terminal Fault” that can occur on past and current Intel processors (from at least 2009 – 2018) [See Table 1 for supported vSphere processors that are affected]. Like Meltdown, Rogue System Register Read, and "Lazy FP state restore", the “L1 Terminal Fault” vulnerability can occur when affected Intel microprocessors speculate beyond an unpermitted data access. By continuing the speculation in these cases, the affected Intel microprocessors expose a new side-channel for attack. (Note, however, that architectural correctness is still provided as the speculative operations will be later nullified at instruction retirement.) CVE-2018-3646 is one of these Intel microprocessor vulnerabilities and impacts hypervisors. It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor's or another VM's privileged information residing at the same time in the same core's L1 Data cache. Because current Intel processors share the physically-addressed L1 Data Cache across both logical processors of a Hyperthreading (HT) enabled core, indiscriminate simultaneous scheduling of software threads on both logical processors creates the potential for further information leakage. CVE-2018-3646 has two currently known attack vectors which will be referred to here as "Sequential-Context" and "Concurrent-Context.” Both attack vectors must be addressed to mitigate CVE-2018-3646. Attack Vector Summary  Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.  Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core. Mitigation Summary Mitigation of the Sequential-Context attack vector is achieved by vSphere updates and patches. This mitigation is enabled by default and does not impose a significant performance impact. Please see resolution section for details.
 Mitigation of the Concurrent-context attack vector requires enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default. Please see resolution section for details. Important: Disabling Intel Hyperthreading in firmware/BIOS (or by using VMkernel.Boot.Hyperthreading) after applying vSphere updates and patches is not recommended and precludes potential vSphere scheduler enhancements and mitigations that will allow the use of both logical processors. As such, disablement of hyperthreading to mitigate the Concurrent-context attack vector will introduce unnecessary operational overhead as hyperthreading may need to be re-enabled in the future. Resolution The mitigation process for CVE-2018-3646 is divided into three phases: 1. Update Phase: Apply vSphere Updates and Patches The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in VMware Security Advisory VMSA-2018-0020. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) which are also documented in VMSA-2018-0020. This mitigation is enabled by default and does not impose a significant performance impact. Note: As displayed in the workflow above, vCenter Server should be updated prior to applying ESXi patches. Notification messages were added in the aforementioned updates and patches to explain that the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. If ESXi is updated prior to vCenter you may receive cryptic notification messages relating to this. After vCenter has been updated, the notifications will be shown correctly. 2. Planning Phase: Assess Your Environment The Concurrent-context attack vector is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler which is included in the updates and patches listed in VMSA-2018-0020. This scheduler is not enabled by default. Enablement of this scheduler may impose a non-trivial performance impact on applications
running in a vSphere environment. The goal of the Planning Phase is to understand if your current environment has sufficient CPU capacity to enable the scheduler without operational impact. The following list summarizes potential problem areas after enabling the ESXi Side-Channel-Aware Scheduler:  VMs configured with vCPUs greater than the physical cores available on the ESXi host  VMs configured with custom affinity or NUMA settings  VMs with latency-sensitive configuration  ESXi hosts with Average CPU Usage greater than 70%  Hosts with custom CPU resource management options enabled  HA Clusters where a rolling upgrade will increase Average CPU Usage above 100% Important: The above list is meant to be a brief overview of potential problem areas related to enablement of the ESXi Side-Channel-Aware Scheduler. The VMware Performance Team has provided an in-depth guide as well as performance data in KB55767. It is strongly suggested to thoroughly review this document prior to enablement of the scheduler. Note: It may be necessary to acquire additional hardware, or rebalance existing workloads, before enablement of the ESXi Side-Channel-Aware Scheduler. Organizations can choose not to enable the ESXi Side-Channel- Aware Scheduler after performing a risk assessment and accepting the risk posed by the Concurrent-context attack vector. This is NOT RECOMMENDED and VMware cannot make this decision on behalf of an organization. 3. Scheduler-Enablement Phase: a. Enable the ESXi Side-Channel-Aware Scheduler in ESXi 5.5, 6.0, 6.5, and 6.7 prior to 6.7u2. After addressing the potential problem areas described above during the Planning Phase, the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. The scheduler can be enabled on an individual ESXi host via the advanced configuration option hyperthreadingMitigation. Notes:  Enabling this option will result in the vSphere UI reporting only a single logical processor per physical core; halving the number of logical processors if Hyperthreading was previously enabled. In addition Hyperthreading may be reported as 'Disabled' in various configuration tabs.  The current ESXi Side-Channel-Aware scheduler also addresses CVE-2018-5407. Enabling the ESXi Side-Channel-Aware Scheduler using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab. 4. Click the Settings sub-tab. 5. Under the System heading, click Advanced System Settings. 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name and click the Edit pencil icon. 8. Change the configuration option to true (default: false). 9. Click OK. 10. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME.
2. Click the Manage tab 3. Click the Advanced settings sub-tab 4. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 5. Select the setting by name and click the Edit pencil icon 6. Change the configuration option to true (default: false) 7. Click Save. 8. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler setting using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime value of the HTAware Mitigation Setting by running esxcli system settings kernel list -o hyperthreadingMitigation 3. To enable HT Aware Mitigation, run this command: esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 4. Reboot the ESXi host for the configuration change to go into effect. b. Enable the ESXi Side-Channel-Aware Scheduler (SCAv1) or the ESXi Side-Channel-Aware Scheduler v2 (SCAv2) in ESXi 6.7u2 (13006603) or later Note: ESXi 6.7u2 (13006603) and future release lines of ESXi include the ESXi Side-Channel-Aware Scheduler v2. Prior release lines such as 6.5, 6.0, and 5.5 cannot accommodate this new scheduler. VMware has published a white paper entitled Performance of vSphere 6.7 Scheduling Options which provides a more detailed look into the performance differences between SCAv1 and SCAv2. Please review this document before continuing. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab.
4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to true (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to true (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v TRUE 6. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab. 4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to false (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect.
Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to false (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v FALSE 6. Reboot the ESXi host for the configuration change to go into effect. ESXi 6.7u2 (and later) Scheduler Configuration Summary hyperthreadingMitigation hyperthreadingMitigationIntraVM Scheduler Enabled FALSE TRUE or FALSE Default scheduler (unmitigated) TRUE TRUE SCAv1 TRUE FALSE SCAv2 HTAware Mitigation Tool VMware has provided a tool to assist in performing both the Planning Phase and the Scheduler-Enablement Phase at scale. This tool has been updated to include SCAv2 support and can be found in KB56931 along with detailed instructions on its usage, capabilities, and limitations. Table 1: Affected Intel Processors Supported by ESXi Intel Code Name FMS Intel Brand Names Nehalem-EP 0x106a5 Intel Xeon35xx Series; Intel Xeon55xx Series Lynnfield 0x106e5 Intel Xeon34xx Lynnfield Series Clarkdale 0x20652 Intel i3/i5 Clarkdale Series; Intel Xeon34xx ClarkdaleSeries Arrandale 0x20655 Intel Corei7-620LEProcessor SandyBridge DT 0x206a7 Intel XeonE3-1100Series; Intel XeonE3-1200Series; Intel i7-2655-LESeries; Inteli3-2100 Series
Westmere EP 0x206c2 Intel Xeon56xx Series; Intel Xeon36xx Series SandyBridge EP 0x206d7 Intel Pentium 1400 Series; Intel XeonE5-1400Series; Intel XeonE5-1600Series; Intel XeonE5-2400Series; Intel XeonE5-2600Series; Intel XeonE5-4600Series NehalemEX 0x206e6 Intel Xeon65xx Series; Intel Xeon75xx Series Westmere EX 0x206f2 Intel XeonE7-8800Series; Intel XeonE7-4800Series; Intel XeonE7-2800Series Ivy Bridge DT 0x306a9 Intel i3-3200 Series; Inteli7-3500-LE/UE, Inteli7-3600-QE, Intel XeonE3-1200-v2 Series; Intel XeonE3-1100-C-v2 Series; Intel Pentium B925C Haswell DT 0x306c3 Intel XeonE3-1200-v3 Series Ivy Bridge EP 0x306e4 Intel XeonE5-4600-v2 Series; Intel XeonE5-2400-v2 Series; Intel XeonE5-2600-v2 Series; Intel XeonE5-1400-v2 Series; Intel XeonE5-2600-v2 Series Ivy Bridge EX 0x306e7 Intel XeonE7-8800/4800/2800-v2Series Haswell EP 0x306f2 Intel XeonE5-2400-v3 Series; Intel XeonE5-1400-v3 Series; Intel XeonE5-1600-v3 Series; Intel XeonE5-2600-v3 Series; Intel XeonE5-4600-v3 Series Haswell EX 0x306f4 Intel XeonE7-8800/4800-v3Series Broadwell H 0x40671 Intel Corei7-5700EQ; Intel XeonE3-1200-v4 Series Avoton 0x406d8 Intel Atom C2300 Series; Intel Atom C2500 Series; Intel Atom C2700 Series Broadwell EP/EX 0x406f1 Intel XeonE7-8800/4800-v4Series; Intel XeonE5-4600-v4 Series; Intel XeonE5-2600-v4 Series; Intel XeonE5-1600-v4 Series Skylake SP 0x50654 Intel XeonPlatinum8100(Skylake-SP) Series; Intel XeonGold 6100/5100 (Skylake-SP) Series Intel XeonSilver 4100, Bronze 3100 (Skylake-SP) Series Broadwell DE 0x50662 Intel XeonD-1500Series Broadwell DE 0x50663 Intel XeonD-1500Series Broadwell DE 0x50664 Intel XeonD-1500Series Broadwell NS 0x50665 Intel XeonD-1500Series Skylake H/S 0x506e3 Intel XeonE3-1500-v5 Series; Intel XeonE3-1200-v5 Series KabyLake H/S/X 0x906e9 Intel XeonE3-1200-v6 Related InformationKnow more about L1TF (L1 Terminal Fault) here Update History 08/14/18: Initial publication. 10/15/18: Added note to '3. Scheduler-Enablement Phase' to clarify that enablement of the ESXi Side-Channel- Aware Scheduler will result in the vSphere UI reporting only a single logical processor per physical core. 11/02/18: Updated '3. Scheduler-Enablement Phase' to note that CVE-2018-5407 disclosed today is also mitigated through enablement of the current ESXi Side-Channel-Aware Scheduler. 04/11/19: Updated document with information regarding the ESXi Side-Channel-Aware Scheduler Version 2 which was introduced in ESXi 6.7u2. Request a Product Feature To request a new product feature, please contact your VMware representative.

Recommended

Addressing the scalability challenge of server sent events presentation
Addressing the scalability challenge of server sent events presentationAddressing the scalability challenge of server sent events presentation
Addressing the scalability challenge of server sent events presentationcdmalord
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Akamai Technologies
 
Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For WorkflowTimothy Spann
 
Postgres on OpenStack
Postgres on OpenStackPostgres on OpenStack
Postgres on OpenStackEDB
 
Time series with Apache Cassandra - Long version
Time series with Apache Cassandra - Long versionTime series with Apache Cassandra - Long version
Time series with Apache Cassandra - Long versionPatrick McFadin
 
Introducing EDB Failover Manager
Introducing EDB Failover ManagerIntroducing EDB Failover Manager
Introducing EDB Failover ManagerEDB
 
Real-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino Busa
Real-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino BusaReal-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino Busa
Real-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino BusaSpark Summit
 
[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술
[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술
[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술Taeguk Kwon
 

Recommended

Addressing the scalability challenge of server sent events presentation
Addressing the scalability challenge of server sent events presentationAddressing the scalability challenge of server sent events presentation
Addressing the scalability challenge of server sent events presentationcdmalord
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Akamai Technologies
 
Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For WorkflowTimothy Spann
 
Postgres on OpenStack
Postgres on OpenStackPostgres on OpenStack
Postgres on OpenStackEDB
 
Time series with Apache Cassandra - Long version
Time series with Apache Cassandra - Long versionTime series with Apache Cassandra - Long version
Time series with Apache Cassandra - Long versionPatrick McFadin
 
Introducing EDB Failover Manager
Introducing EDB Failover ManagerIntroducing EDB Failover Manager
Introducing EDB Failover ManagerEDB
 
Real-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino Busa
Real-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino BusaReal-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino Busa
Real-Time Anomoly Detection with Spark MLib, Akka and Cassandra by Natalino BusaSpark Summit
 
[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술
[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술
[NDC21] <쿠키런: 킹덤> 서버 아키텍처 뜯어먹기! - 천만 왕국을 지탱하는 다섯가지 핵심 기술Taeguk Kwon
 
Building an Observability platform with ClickHouse
Building an Observability platform with ClickHouseBuilding an Observability platform with ClickHouse
Building an Observability platform with ClickHouseAltinity Ltd
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
A Kafka-based platform to process medical prescriptions of Germany’s health i...
A Kafka-based platform to process medical prescriptions of Germany’s health i...A Kafka-based platform to process medical prescriptions of Germany’s health i...
A Kafka-based platform to process medical prescriptions of Germany’s health i...HostedbyConfluent
 
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...Amazon Web Services
 
BootstrapとRailsで、 高速にWebサイトを作ってみた
BootstrapとRailsで、 高速にWebサイトを作ってみたBootstrapとRailsで、 高速にWebサイトを作ってみた
BootstrapとRailsで、 高速にWebサイトを作ってみたBeMarble
 
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드taeseon ryu
 
Apache Spark vs Apache Flink
Apache Spark vs Apache FlinkApache Spark vs Apache Flink
Apache Spark vs Apache FlinkAKASH SIHAG
 
Scaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge ProofsScaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge ProofsHyojun Kim
 
BGP Dynamic Routing and Neutron
BGP Dynamic Routing and NeutronBGP Dynamic Routing and Neutron
BGP Dynamic Routing and Neutronrktidwell
 
Facebook prophet
Facebook prophetFacebook prophet
Facebook prophetMinho Lee
 
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...PGConf APAC
 
AWS load balancers deep dive-AWSKRUG
AWS load balancers deep dive-AWSKRUGAWS load balancers deep dive-AWSKRUG
AWS load balancers deep dive-AWSKRUGha suyoung
 
Apache pulsar - storage architecture
Apache pulsar - storage architectureApache pulsar - storage architecture
Apache pulsar - storage architectureMatteo Merli
 
Stream Processing with Flink and Stream Sharing
Stream Processing with Flink and Stream SharingStream Processing with Flink and Stream Sharing
Stream Processing with Flink and Stream Sharingconfluent
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Productionconfluent
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Summit supercomputer
Summit supercomputerSummit supercomputer
Summit supercomputerAbhijithAbhi35
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarScyllaDB
 
Apache Kafka
Apache KafkaApache Kafka
Apache Kafkaemreakis
 
Juliaで前処理
Juliaで前処理Juliaで前処理
Juliaで前処理weda654
 
Spectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQSpectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQDavid Pasek
 
Vsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsVsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsDhymas Mahendra
 

More Related Content

What's hot

Building an Observability platform with ClickHouse
Building an Observability platform with ClickHouseBuilding an Observability platform with ClickHouse
Building an Observability platform with ClickHouseAltinity Ltd
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
A Kafka-based platform to process medical prescriptions of Germany’s health i...
A Kafka-based platform to process medical prescriptions of Germany’s health i...A Kafka-based platform to process medical prescriptions of Germany’s health i...
A Kafka-based platform to process medical prescriptions of Germany’s health i...HostedbyConfluent
 
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...Amazon Web Services
 
BootstrapとRailsで、 高速にWebサイトを作ってみた
BootstrapとRailsで、 高速にWebサイトを作ってみたBootstrapとRailsで、 高速にWebサイトを作ってみた
BootstrapとRailsで、 高速にWebサイトを作ってみたBeMarble
 
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드taeseon ryu
 
Apache Spark vs Apache Flink
Apache Spark vs Apache FlinkApache Spark vs Apache Flink
Apache Spark vs Apache FlinkAKASH SIHAG
 
Scaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge ProofsScaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge ProofsHyojun Kim
 
BGP Dynamic Routing and Neutron
BGP Dynamic Routing and NeutronBGP Dynamic Routing and Neutron
BGP Dynamic Routing and Neutronrktidwell
 
Facebook prophet
Facebook prophetFacebook prophet
Facebook prophetMinho Lee
 
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...PGConf APAC
 
AWS load balancers deep dive-AWSKRUG
AWS load balancers deep dive-AWSKRUGAWS load balancers deep dive-AWSKRUG
AWS load balancers deep dive-AWSKRUGha suyoung
 
Apache pulsar - storage architecture
Apache pulsar - storage architectureApache pulsar - storage architecture
Apache pulsar - storage architectureMatteo Merli
 
Stream Processing with Flink and Stream Sharing
Stream Processing with Flink and Stream SharingStream Processing with Flink and Stream Sharing
Stream Processing with Flink and Stream Sharingconfluent
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Productionconfluent
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarScyllaDB
 
Apache Kafka
Apache KafkaApache Kafka
Apache Kafkaemreakis
 
Juliaで前処理
Juliaで前処理Juliaで前処理
Juliaで前処理weda654
 

What's hot (20)

Building an Observability platform with ClickHouse
Building an Observability platform with ClickHouseBuilding an Observability platform with ClickHouse
Building an Observability platform with ClickHouse
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpec
 
A Kafka-based platform to process medical prescriptions of Germany’s health i...
A Kafka-based platform to process medical prescriptions of Germany’s health i...A Kafka-based platform to process medical prescriptions of Germany’s health i...
A Kafka-based platform to process medical prescriptions of Germany’s health i...
 
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...
AWS Serverless Interface Building and Cerner's FHIR Experience (HLC401) - AWS...
 
BootstrapとRailsで、 高速にWebサイトを作ってみた
BootstrapとRailsで、 高速にWebサイトを作ってみたBootstrapとRailsで、 高速にWebサイトを作ってみた
BootstrapとRailsで、 高速にWebサイトを作ってみた
 
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드
딥러닝 논문읽기 모임 - 송헌 Deep sets 슬라이드
 
Apache Spark vs Apache Flink
Apache Spark vs Apache FlinkApache Spark vs Apache Flink
Apache Spark vs Apache Flink
 
Scaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge ProofsScaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge Proofs
 
BGP Dynamic Routing and Neutron
BGP Dynamic Routing and NeutronBGP Dynamic Routing and Neutron
BGP Dynamic Routing and Neutron
 
Facebook prophet
Facebook prophetFacebook prophet
Facebook prophet
 
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
PGConf APAC 2018 - PostgreSQL HA with Pgpool-II and whats been happening in P...
 
AWS load balancers deep dive-AWSKRUG
AWS load balancers deep dive-AWSKRUGAWS load balancers deep dive-AWSKRUG
AWS load balancers deep dive-AWSKRUG
 
Apache pulsar - storage architecture
Apache pulsar - storage architectureApache pulsar - storage architecture
Apache pulsar - storage architecture
 
Stream Processing with Flink and Stream Sharing
Stream Processing with Flink and Stream SharingStream Processing with Flink and Stream Sharing
Stream Processing with Flink and Stream Sharing
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Production
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
 
Summit supercomputer
Summit supercomputerSummit supercomputer
Summit supercomputer
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache Pulsar
 
Apache Kafka
Apache KafkaApache Kafka
Apache Kafka
 
Juliaで前処理
Juliaで前処理Juliaで前処理
Juliaで前処理
 

Similar to VMware response to L1TF (CVE-2018-3646) in vSphere

Spectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQSpectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQDavid Pasek
 
Vsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsVsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsDhymas Mahendra
 
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdidHitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdidChetan Gabhane
 
VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1Louis Göhl
 
Vsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscsVsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscskanth2161
 
Networker integration for optimal performance
Networker integration for optimal performanceNetworker integration for optimal performance
Networker integration for optimal performanceMohamed Sohail
 
VMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptxVMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptxssuser4d1c08
 
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...Vinay Mehta
 
Vsc 71-se-presentation-training
Vsc 71-se-presentation-trainingVsc 71-se-presentation-training
Vsc 71-se-presentation-trainingnarit_ton
 
Vsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guideVsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guideSree Harsha Boyapati
 
ESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release NotesESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release NotesProtect724tk
 
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...Principled Technologies
 
ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes Protect724mouni
 

Similar to VMware response to L1TF (CVE-2018-3646) in vSphere (20)

Spectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQSpectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQ
 
Vsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsVsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscs
 
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdidHitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
 
VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1
 
Vsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscsVsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscs
 
Upgrade Guide for ESM 6.8c
Upgrade Guide for ESM 6.8cUpgrade Guide for ESM 6.8c
Upgrade Guide for ESM 6.8c
 
Networker integration for optimal performance
Networker integration for optimal performanceNetworker integration for optimal performance
Networker integration for optimal performance
 
VMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptxVMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptx
 
IBM XIV Gen3 Storage System
IBM XIV Gen3 Storage SystemIBM XIV Gen3 Storage System
IBM XIV Gen3 Storage System
 
Vdi pre req
Vdi pre reqVdi pre req
Vdi pre req
 
Operational Management Challenges for Converged Infrastructure
Operational Management Challenges for Converged Infrastructure Operational Management Challenges for Converged Infrastructure
Operational Management Challenges for Converged Infrastructure
 
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
 
Windows Server 2012 Virtualization: Notes from the Field
Windows Server 2012 Virtualization: Notes from the FieldWindows Server 2012 Virtualization: Notes from the Field
Windows Server 2012 Virtualization: Notes from the Field
 
Vsc 71-se-presentation-training
Vsc 71-se-presentation-trainingVsc 71-se-presentation-training
Vsc 71-se-presentation-training
 
Vsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guideVsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guide
 
Virtualization & tipping point
Virtualization & tipping pointVirtualization & tipping point
Virtualization & tipping point
 
Vmware inter
Vmware interVmware inter
Vmware inter
 
ESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release NotesESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release Notes
 
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
 
ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes
 

More from Wafa Hammami

guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfWafa Hammami
 
ITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdfITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdfWafa Hammami
 
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdfITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdfWafa Hammami
 
guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfWafa Hammami
 
bpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdfbpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdfWafa Hammami
 
Sage x3 solution capabilities
Sage x3 solution capabilitiesSage x3 solution capabilities
Sage x3 solution capabilitiesWafa Hammami
 

More from Wafa Hammami (6)

guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdf
 
ITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdfITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdf
 
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdfITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
 
guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdf
 
bpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdfbpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdf
 
Sage x3 solution capabilities
Sage x3 solution capabilitiesSage x3 solution capabilities
Sage x3 solution capabilities
 

Recently uploaded

Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 

Recently uploaded (20)

Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 

VMware response to L1TF (CVE-2018-3646) in vSphere

  • 1. VMware response to ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere: CVE-2018-3646 (55806) Last Updated: 5/2/2019Categories: Security 34 Symptoms This article documents the Hypervisor-Specific Mitigations required to address CVE-2018-3646 (L1 Terminal Fault - VMM) in vSphere. The Update History section of this article will be revised if there is a significant change. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories. Introduction to CVE-2018-3646 Intel has disclosed details on a new class of CPU speculative-execution vulnerabilities known collectively as “L1 Terminal Fault” that can occur on past and current Intel processors (from at least 2009 – 2018) [See Table 1 for supported vSphere processors that are affected]. Like Meltdown, Rogue System Register Read, and "Lazy FP state restore", the “L1 Terminal Fault” vulnerability can occur when affected Intel microprocessors speculate beyond an unpermitted data access. By continuing the speculation in these cases, the affected Intel microprocessors expose a new side-channel for attack. (Note, however, that architectural correctness is still provided as the speculative operations will be later nullified at instruction retirement.) CVE-2018-3646 is one of these Intel microprocessor vulnerabilities and impacts hypervisors. It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor's or another VM's privileged information residing at the same time in the same core's L1 Data cache. Because current Intel processors share the physically-addressed L1 Data Cache across both logical processors of a Hyperthreading (HT) enabled core, indiscriminate simultaneous scheduling of software threads on both logical processors creates the potential for further information leakage. CVE-2018-3646 has two currently known attack vectors which will be referred to here as "Sequential-Context" and "Concurrent-Context.” Both attack vectors must be addressed to mitigate CVE-2018-3646. Attack Vector Summary  Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.  Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core. Mitigation Summary Mitigation of the Sequential-Context attack vector is achieved by vSphere updates and patches. This mitigation is enabled by default and does not impose a significant performance impact. Please see resolution section for details.
  • 2.  Mitigation of the Concurrent-context attack vector requires enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default. Please see resolution section for details. Important: Disabling Intel Hyperthreading in firmware/BIOS (or by using VMkernel.Boot.Hyperthreading) after applying vSphere updates and patches is not recommended and precludes potential vSphere scheduler enhancements and mitigations that will allow the use of both logical processors. As such, disablement of hyperthreading to mitigate the Concurrent-context attack vector will introduce unnecessary operational overhead as hyperthreading may need to be re-enabled in the future. Resolution The mitigation process for CVE-2018-3646 is divided into three phases: 1. Update Phase: Apply vSphere Updates and Patches The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in VMware Security Advisory VMSA-2018-0020. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) which are also documented in VMSA-2018-0020. This mitigation is enabled by default and does not impose a significant performance impact. Note: As displayed in the workflow above, vCenter Server should be updated prior to applying ESXi patches. Notification messages were added in the aforementioned updates and patches to explain that the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. If ESXi is updated prior to vCenter you may receive cryptic notification messages relating to this. After vCenter has been updated, the notifications will be shown correctly. 2. Planning Phase: Assess Your Environment The Concurrent-context attack vector is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler which is included in the updates and patches listed in VMSA-2018-0020. This scheduler is not enabled by default. Enablement of this scheduler may impose a non-trivial performance impact on applications
  • 3. running in a vSphere environment. The goal of the Planning Phase is to understand if your current environment has sufficient CPU capacity to enable the scheduler without operational impact. The following list summarizes potential problem areas after enabling the ESXi Side-Channel-Aware Scheduler:  VMs configured with vCPUs greater than the physical cores available on the ESXi host  VMs configured with custom affinity or NUMA settings  VMs with latency-sensitive configuration  ESXi hosts with Average CPU Usage greater than 70%  Hosts with custom CPU resource management options enabled  HA Clusters where a rolling upgrade will increase Average CPU Usage above 100% Important: The above list is meant to be a brief overview of potential problem areas related to enablement of the ESXi Side-Channel-Aware Scheduler. The VMware Performance Team has provided an in-depth guide as well as performance data in KB55767. It is strongly suggested to thoroughly review this document prior to enablement of the scheduler. Note: It may be necessary to acquire additional hardware, or rebalance existing workloads, before enablement of the ESXi Side-Channel-Aware Scheduler. Organizations can choose not to enable the ESXi Side-Channel- Aware Scheduler after performing a risk assessment and accepting the risk posed by the Concurrent-context attack vector. This is NOT RECOMMENDED and VMware cannot make this decision on behalf of an organization. 3. Scheduler-Enablement Phase: a. Enable the ESXi Side-Channel-Aware Scheduler in ESXi 5.5, 6.0, 6.5, and 6.7 prior to 6.7u2. After addressing the potential problem areas described above during the Planning Phase, the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. The scheduler can be enabled on an individual ESXi host via the advanced configuration option hyperthreadingMitigation. Notes:  Enabling this option will result in the vSphere UI reporting only a single logical processor per physical core; halving the number of logical processors if Hyperthreading was previously enabled. In addition Hyperthreading may be reported as 'Disabled' in various configuration tabs.  The current ESXi Side-Channel-Aware scheduler also addresses CVE-2018-5407. Enabling the ESXi Side-Channel-Aware Scheduler using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab. 4. Click the Settings sub-tab. 5. Under the System heading, click Advanced System Settings. 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name and click the Edit pencil icon. 8. Change the configuration option to true (default: false). 9. Click OK. 10. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME.
  • 4. 2. Click the Manage tab 3. Click the Advanced settings sub-tab 4. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 5. Select the setting by name and click the Edit pencil icon 6. Change the configuration option to true (default: false) 7. Click Save. 8. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler setting using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime value of the HTAware Mitigation Setting by running esxcli system settings kernel list -o hyperthreadingMitigation 3. To enable HT Aware Mitigation, run this command: esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 4. Reboot the ESXi host for the configuration change to go into effect. b. Enable the ESXi Side-Channel-Aware Scheduler (SCAv1) or the ESXi Side-Channel-Aware Scheduler v2 (SCAv2) in ESXi 6.7u2 (13006603) or later Note: ESXi 6.7u2 (13006603) and future release lines of ESXi include the ESXi Side-Channel-Aware Scheduler v2. Prior release lines such as 6.5, 6.0, and 5.5 cannot accommodate this new scheduler. VMware has published a white paper entitled Performance of vSphere 6.7 Scheduling Options which provides a more detailed look into the performance differences between SCAv1 and SCAv2. Please review this document before continuing. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab.
  • 5. 4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to true (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to true (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v TRUE 6. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab. 4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to false (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect.
  • 6. Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to false (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v FALSE 6. Reboot the ESXi host for the configuration change to go into effect. ESXi 6.7u2 (and later) Scheduler Configuration Summary hyperthreadingMitigation hyperthreadingMitigationIntraVM Scheduler Enabled FALSE TRUE or FALSE Default scheduler (unmitigated) TRUE TRUE SCAv1 TRUE FALSE SCAv2 HTAware Mitigation Tool VMware has provided a tool to assist in performing both the Planning Phase and the Scheduler-Enablement Phase at scale. This tool has been updated to include SCAv2 support and can be found in KB56931 along with detailed instructions on its usage, capabilities, and limitations. Table 1: Affected Intel Processors Supported by ESXi Intel Code Name FMS Intel Brand Names Nehalem-EP 0x106a5 Intel Xeon35xx Series; Intel Xeon55xx Series Lynnfield 0x106e5 Intel Xeon34xx Lynnfield Series Clarkdale 0x20652 Intel i3/i5 Clarkdale Series; Intel Xeon34xx ClarkdaleSeries Arrandale 0x20655 Intel Corei7-620LEProcessor SandyBridge DT 0x206a7 Intel XeonE3-1100Series; Intel XeonE3-1200Series; Intel i7-2655-LESeries; Inteli3-2100 Series
  • 7. Westmere EP 0x206c2 Intel Xeon56xx Series; Intel Xeon36xx Series SandyBridge EP 0x206d7 Intel Pentium 1400 Series; Intel XeonE5-1400Series; Intel XeonE5-1600Series; Intel XeonE5-2400Series; Intel XeonE5-2600Series; Intel XeonE5-4600Series NehalemEX 0x206e6 Intel Xeon65xx Series; Intel Xeon75xx Series Westmere EX 0x206f2 Intel XeonE7-8800Series; Intel XeonE7-4800Series; Intel XeonE7-2800Series Ivy Bridge DT 0x306a9 Intel i3-3200 Series; Inteli7-3500-LE/UE, Inteli7-3600-QE, Intel XeonE3-1200-v2 Series; Intel XeonE3-1100-C-v2 Series; Intel Pentium B925C Haswell DT 0x306c3 Intel XeonE3-1200-v3 Series Ivy Bridge EP 0x306e4 Intel XeonE5-4600-v2 Series; Intel XeonE5-2400-v2 Series; Intel XeonE5-2600-v2 Series; Intel XeonE5-1400-v2 Series; Intel XeonE5-2600-v2 Series Ivy Bridge EX 0x306e7 Intel XeonE7-8800/4800/2800-v2Series Haswell EP 0x306f2 Intel XeonE5-2400-v3 Series; Intel XeonE5-1400-v3 Series; Intel XeonE5-1600-v3 Series; Intel XeonE5-2600-v3 Series; Intel XeonE5-4600-v3 Series Haswell EX 0x306f4 Intel XeonE7-8800/4800-v3Series Broadwell H 0x40671 Intel Corei7-5700EQ; Intel XeonE3-1200-v4 Series Avoton 0x406d8 Intel Atom C2300 Series; Intel Atom C2500 Series; Intel Atom C2700 Series Broadwell EP/EX 0x406f1 Intel XeonE7-8800/4800-v4Series; Intel XeonE5-4600-v4 Series; Intel XeonE5-2600-v4 Series; Intel XeonE5-1600-v4 Series Skylake SP 0x50654 Intel XeonPlatinum8100(Skylake-SP) Series; Intel XeonGold 6100/5100 (Skylake-SP) Series Intel XeonSilver 4100, Bronze 3100 (Skylake-SP) Series Broadwell DE 0x50662 Intel XeonD-1500Series Broadwell DE 0x50663 Intel XeonD-1500Series Broadwell DE 0x50664 Intel XeonD-1500Series Broadwell NS 0x50665 Intel XeonD-1500Series Skylake H/S 0x506e3 Intel XeonE3-1500-v5 Series; Intel XeonE3-1200-v5 Series KabyLake H/S/X 0x906e9 Intel XeonE3-1200-v6 Related InformationKnow more about L1TF (L1 Terminal Fault) here Update History 08/14/18: Initial publication. 10/15/18: Added note to '3. Scheduler-Enablement Phase' to clarify that enablement of the ESXi Side-Channel- Aware Scheduler will result in the vSphere UI reporting only a single logical processor per physical core. 11/02/18: Updated '3. Scheduler-Enablement Phase' to note that CVE-2018-5407 disclosed today is also mitigated through enablement of the current ESXi Side-Channel-Aware Scheduler. 04/11/19: Updated document with information regarding the ESXi Side-Channel-Aware Scheduler Version 2 which was introduced in ESXi 6.7u2. Request a Product Feature To request a new product feature, please contact your VMware representative.