There is nothing like starting the new year off with a small bout of panic.
As of this morning I’ve had a number of my partners calling up asking for an update on VMware’s position against the recently publicized CPU vulnerabilities, Meltdown and Spectre.
If you don’t know what I’m talking about, have a look at the following article from the Project Zero team at Google. These guys do a really good job of explaining what all the noise is about.
On the VMware side, the good news is that we have already released a number of updates that contain fixes to address the vulnerabilities in question. On an even more positive note, given that these patches were released last year, there is a good chance that many environments out there are already patched.
The 3 identified CVE’s in question are:
The patches that have been made available by VMware address CVE-2017-5753 and CVE-2017-5715.
CVE-2017-5754 (or Meltdown) does not affect ESXi because it does not run untrusted user mode code. For VMware Workstation and VMware Fusion, they rely on the underlying OS that should probably be patched for the vulnerability.
The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.
In closing, current tests performed so far have revealed no measurable impact on performance with virtual machines running on ESXi. Guest operating systems that are patched within the virtual machines themselves may however experience a performance impact depending on the patch provided by the OS vendor.