vSphere Patch Validation script for Spectre

One of our tech guys wrote a very neat little PowerCLI script to inspect the vCenter and ESXi hosts within a vSphere environment to determine the status of the current build version against the Spectre vulnerability.

I take no credit in any way for the script. All credit goes to Vikas.  Here is a high level overview of what the script does.

  1. Validates vCenter current build against patched build.
  2. Connects to the hosts within the specified cluster.
  3. A small VM is created on each host and powered on and off to determine the host build status.
  4. Output is written to a .csv file for analysis.

The script itself can be downloaded from Vikas’ blog or from his GitHub repository.

Edit: VMware have also released another Security Advisory VMSA-2018-004 that details the patches required for the environment along with additional requirements that need to be met to mitigate the guest OS vulnerability. (apart from the obvious guest OS patches)

One point I’d like to call out is that in all instances, the vCenter server, if used, should be patched first, followed by the ESXi hosts and then the VM hardware version. For details on how to update the VM hardware version please see KB article KB1010675.

Below is a short video of the script in action.

*Please note, this script is provided as is and without support. Use at your own risk.

This entry was posted in Security, vSphere. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *