SlideShare a Scribd company logo

VMware response to L1TF (CVE-2018-3646) in vSphere

Download as DOCX, PDF
Wafa Hammami
Wafa Hammami

This document provides information and mitigation steps for CVE-2018-3646 (L1 Terminal Fault - VMM) on VMware vSphere. It describes the vulnerability, which allows a malicious VM to infer privileged information from the hypervisor or other VMs on the same physical core. It outlines a three phase mitigation process: 1) Apply updates and patches, 2) Assess environment impact, 3) Enable the ESXi Side-Channel-Aware Scheduler which schedules VMs on one logical processor per core and may impact performance.

Engineering
1 of 7
VMware response to ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere: CVE-2018-3646 (55806) Last Updated: 5/2/2019Categories: Security 34 Symptoms This article documents the Hypervisor-Specific Mitigations required to address CVE-2018-3646 (L1 Terminal Fault - VMM) in vSphere. The Update History section of this article will be revised if there is a significant change. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories. Introduction to CVE-2018-3646 Intel has disclosed details on a new class of CPU speculative-execution vulnerabilities known collectively as “L1 Terminal Fault” that can occur on past and current Intel processors (from at least 2009 – 2018) [See Table 1 for supported vSphere processors that are affected]. Like Meltdown, Rogue System Register Read, and "Lazy FP state restore", the “L1 Terminal Fault” vulnerability can occur when affected Intel microprocessors speculate beyond an unpermitted data access. By continuing the speculation in these cases, the affected Intel microprocessors expose a new side-channel for attack. (Note, however, that architectural correctness is still provided as the speculative operations will be later nullified at instruction retirement.) CVE-2018-3646 is one of these Intel microprocessor vulnerabilities and impacts hypervisors. It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor's or another VM's privileged information residing at the same time in the same core's L1 Data cache. Because current Intel processors share the physically-addressed L1 Data Cache across both logical processors of a Hyperthreading (HT) enabled core, indiscriminate simultaneous scheduling of software threads on both logical processors creates the potential for further information leakage. CVE-2018-3646 has two currently known attack vectors which will be referred to here as "Sequential-Context" and "Concurrent-Context.” Both attack vectors must be addressed to mitigate CVE-2018-3646. Attack Vector Summary  Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.  Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core. Mitigation Summary Mitigation of the Sequential-Context attack vector is achieved by vSphere updates and patches. This mitigation is enabled by default and does not impose a significant performance impact. Please see resolution section for details.
 Mitigation of the Concurrent-context attack vector requires enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default. Please see resolution section for details. Important: Disabling Intel Hyperthreading in firmware/BIOS (or by using VMkernel.Boot.Hyperthreading) after applying vSphere updates and patches is not recommended and precludes potential vSphere scheduler enhancements and mitigations that will allow the use of both logical processors. As such, disablement of hyperthreading to mitigate the Concurrent-context attack vector will introduce unnecessary operational overhead as hyperthreading may need to be re-enabled in the future. Resolution The mitigation process for CVE-2018-3646 is divided into three phases: 1. Update Phase: Apply vSphere Updates and Patches The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in VMware Security Advisory VMSA-2018-0020. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) which are also documented in VMSA-2018-0020. This mitigation is enabled by default and does not impose a significant performance impact. Note: As displayed in the workflow above, vCenter Server should be updated prior to applying ESXi patches. Notification messages were added in the aforementioned updates and patches to explain that the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. If ESXi is updated prior to vCenter you may receive cryptic notification messages relating to this. After vCenter has been updated, the notifications will be shown correctly. 2. Planning Phase: Assess Your Environment The Concurrent-context attack vector is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler which is included in the updates and patches listed in VMSA-2018-0020. This scheduler is not enabled by default. Enablement of this scheduler may impose a non-trivial performance impact on applications
running in a vSphere environment. The goal of the Planning Phase is to understand if your current environment has sufficient CPU capacity to enable the scheduler without operational impact. The following list summarizes potential problem areas after enabling the ESXi Side-Channel-Aware Scheduler:  VMs configured with vCPUs greater than the physical cores available on the ESXi host  VMs configured with custom affinity or NUMA settings  VMs with latency-sensitive configuration  ESXi hosts with Average CPU Usage greater than 70%  Hosts with custom CPU resource management options enabled  HA Clusters where a rolling upgrade will increase Average CPU Usage above 100% Important: The above list is meant to be a brief overview of potential problem areas related to enablement of the ESXi Side-Channel-Aware Scheduler. The VMware Performance Team has provided an in-depth guide as well as performance data in KB55767. It is strongly suggested to thoroughly review this document prior to enablement of the scheduler. Note: It may be necessary to acquire additional hardware, or rebalance existing workloads, before enablement of the ESXi Side-Channel-Aware Scheduler. Organizations can choose not to enable the ESXi Side-Channel- Aware Scheduler after performing a risk assessment and accepting the risk posed by the Concurrent-context attack vector. This is NOT RECOMMENDED and VMware cannot make this decision on behalf of an organization. 3. Scheduler-Enablement Phase: a. Enable the ESXi Side-Channel-Aware Scheduler in ESXi 5.5, 6.0, 6.5, and 6.7 prior to 6.7u2. After addressing the potential problem areas described above during the Planning Phase, the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. The scheduler can be enabled on an individual ESXi host via the advanced configuration option hyperthreadingMitigation. Notes:  Enabling this option will result in the vSphere UI reporting only a single logical processor per physical core; halving the number of logical processors if Hyperthreading was previously enabled. In addition Hyperthreading may be reported as 'Disabled' in various configuration tabs.  The current ESXi Side-Channel-Aware scheduler also addresses CVE-2018-5407. Enabling the ESXi Side-Channel-Aware Scheduler using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab. 4. Click the Settings sub-tab. 5. Under the System heading, click Advanced System Settings. 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name and click the Edit pencil icon. 8. Change the configuration option to true (default: false). 9. Click OK. 10. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME.
2. Click the Manage tab 3. Click the Advanced settings sub-tab 4. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 5. Select the setting by name and click the Edit pencil icon 6. Change the configuration option to true (default: false) 7. Click Save. 8. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler setting using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime value of the HTAware Mitigation Setting by running esxcli system settings kernel list -o hyperthreadingMitigation 3. To enable HT Aware Mitigation, run this command: esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 4. Reboot the ESXi host for the configuration change to go into effect. b. Enable the ESXi Side-Channel-Aware Scheduler (SCAv1) or the ESXi Side-Channel-Aware Scheduler v2 (SCAv2) in ESXi 6.7u2 (13006603) or later Note: ESXi 6.7u2 (13006603) and future release lines of ESXi include the ESXi Side-Channel-Aware Scheduler v2. Prior release lines such as 6.5, 6.0, and 5.5 cannot accommodate this new scheduler. VMware has published a white paper entitled Performance of vSphere 6.7 Scheduling Options which provides a more detailed look into the performance differences between SCAv1 and SCAv2. Please review this document before continuing. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab.
4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to true (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to true (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v TRUE 6. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab. 4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to false (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect.
Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to false (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v FALSE 6. Reboot the ESXi host for the configuration change to go into effect. ESXi 6.7u2 (and later) Scheduler Configuration Summary hyperthreadingMitigation hyperthreadingMitigationIntraVM Scheduler Enabled FALSE TRUE or FALSE Default scheduler (unmitigated) TRUE TRUE SCAv1 TRUE FALSE SCAv2 HTAware Mitigation Tool VMware has provided a tool to assist in performing both the Planning Phase and the Scheduler-Enablement Phase at scale. This tool has been updated to include SCAv2 support and can be found in KB56931 along with detailed instructions on its usage, capabilities, and limitations. Table 1: Affected Intel Processors Supported by ESXi Intel Code Name FMS Intel Brand Names Nehalem-EP 0x106a5 Intel Xeon35xx Series; Intel Xeon55xx Series Lynnfield 0x106e5 Intel Xeon34xx Lynnfield Series Clarkdale 0x20652 Intel i3/i5 Clarkdale Series; Intel Xeon34xx ClarkdaleSeries Arrandale 0x20655 Intel Corei7-620LEProcessor SandyBridge DT 0x206a7 Intel XeonE3-1100Series; Intel XeonE3-1200Series; Intel i7-2655-LESeries; Inteli3-2100 Series
Westmere EP 0x206c2 Intel Xeon56xx Series; Intel Xeon36xx Series SandyBridge EP 0x206d7 Intel Pentium 1400 Series; Intel XeonE5-1400Series; Intel XeonE5-1600Series; Intel XeonE5-2400Series; Intel XeonE5-2600Series; Intel XeonE5-4600Series NehalemEX 0x206e6 Intel Xeon65xx Series; Intel Xeon75xx Series Westmere EX 0x206f2 Intel XeonE7-8800Series; Intel XeonE7-4800Series; Intel XeonE7-2800Series Ivy Bridge DT 0x306a9 Intel i3-3200 Series; Inteli7-3500-LE/UE, Inteli7-3600-QE, Intel XeonE3-1200-v2 Series; Intel XeonE3-1100-C-v2 Series; Intel Pentium B925C Haswell DT 0x306c3 Intel XeonE3-1200-v3 Series Ivy Bridge EP 0x306e4 Intel XeonE5-4600-v2 Series; Intel XeonE5-2400-v2 Series; Intel XeonE5-2600-v2 Series; Intel XeonE5-1400-v2 Series; Intel XeonE5-2600-v2 Series Ivy Bridge EX 0x306e7 Intel XeonE7-8800/4800/2800-v2Series Haswell EP 0x306f2 Intel XeonE5-2400-v3 Series; Intel XeonE5-1400-v3 Series; Intel XeonE5-1600-v3 Series; Intel XeonE5-2600-v3 Series; Intel XeonE5-4600-v3 Series Haswell EX 0x306f4 Intel XeonE7-8800/4800-v3Series Broadwell H 0x40671 Intel Corei7-5700EQ; Intel XeonE3-1200-v4 Series Avoton 0x406d8 Intel Atom C2300 Series; Intel Atom C2500 Series; Intel Atom C2700 Series Broadwell EP/EX 0x406f1 Intel XeonE7-8800/4800-v4Series; Intel XeonE5-4600-v4 Series; Intel XeonE5-2600-v4 Series; Intel XeonE5-1600-v4 Series Skylake SP 0x50654 Intel XeonPlatinum8100(Skylake-SP) Series; Intel XeonGold 6100/5100 (Skylake-SP) Series Intel XeonSilver 4100, Bronze 3100 (Skylake-SP) Series Broadwell DE 0x50662 Intel XeonD-1500Series Broadwell DE 0x50663 Intel XeonD-1500Series Broadwell DE 0x50664 Intel XeonD-1500Series Broadwell NS 0x50665 Intel XeonD-1500Series Skylake H/S 0x506e3 Intel XeonE3-1500-v5 Series; Intel XeonE3-1200-v5 Series KabyLake H/S/X 0x906e9 Intel XeonE3-1200-v6 Related InformationKnow more about L1TF (L1 Terminal Fault) here Update History 08/14/18: Initial publication. 10/15/18: Added note to '3. Scheduler-Enablement Phase' to clarify that enablement of the ESXi Side-Channel- Aware Scheduler will result in the vSphere UI reporting only a single logical processor per physical core. 11/02/18: Updated '3. Scheduler-Enablement Phase' to note that CVE-2018-5407 disclosed today is also mitigated through enablement of the current ESXi Side-Channel-Aware Scheduler. 04/11/19: Updated document with information regarding the ESXi Side-Channel-Aware Scheduler Version 2 which was introduced in ESXi 6.7u2. Request a Product Feature To request a new product feature, please contact your VMware representative.

Recommended

Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Unity ml agent quick guide
Unity ml agent quick guideUnity ml agent quick guide
Unity ml agent quick guideKyoungman Lee
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Linux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようLinux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようTsuyoshi OZAWA
 
OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개
OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개
OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개Byeong-Hyeok Yu
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationNational Cheng Kung University
 
WordPress のキャッシュ機構
WordPress のキャッシュ機構WordPress のキャッシュ機構
WordPress のキャッシュ機構katanyan
 
American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy LopMichael Overmeyer
 

Recommended

Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Unity ml agent quick guide
Unity ml agent quick guideUnity ml agent quick guide
Unity ml agent quick guideKyoungman Lee
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Linux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようLinux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようTsuyoshi OZAWA
 
OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개
OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개
OpenDroneMap과 QGIS를 이용한 드론 영상처리 소개Byeong-Hyeok Yu
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationNational Cheng Kung University
 
WordPress のキャッシュ機構
WordPress のキャッシュ機構WordPress のキャッシュ機構
WordPress のキャッシュ機構katanyan
 
American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy LopMichael Overmeyer
 
Sun sparc enterprise t5440 server technical presentation
Sun sparc enterprise t5440 server technical presentationSun sparc enterprise t5440 server technical presentation
Sun sparc enterprise t5440 server technical presentationxKinAnx
 
TMUX Rocks!
TMUX Rocks!TMUX Rocks!
TMUX Rocks!Kent Chen
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15MLconf
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
MongoDB on EC2 and EBS
MongoDB on EC2 and EBSMongoDB on EC2 and EBS
MongoDB on EC2 and EBSJared Rosoff
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" ProgramNational Cheng Kung University
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdfAdrian Huang
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 
第6回「VMware vSphere 5」(2011/08/11 on しすなま!)
第6回「VMware vSphere 5」(2011/08/11 on しすなま!)第6回「VMware vSphere 5」(2011/08/11 on しすなま!)
第6回「VMware vSphere 5」(2011/08/11 on しすなま!)System x 部 (生!) : しすなま! @ Lenovo Enterprise Solutions Ltd.
 
Bandwidth manager with Mikrotik 2.0
Bandwidth manager with Mikrotik 2.0Bandwidth manager with Mikrotik 2.0
Bandwidth manager with Mikrotik 2.0Alex Vishnyakov
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Zabbix monitorando o zimbra collaboration 8.8 (1)
Zabbix monitorando o zimbra collaboration 8.8 (1)Zabbix monitorando o zimbra collaboration 8.8 (1)
Zabbix monitorando o zimbra collaboration 8.8 (1)PAULO R. DEOLINDO JUNIOR
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 
Spectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQSpectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQDavid Pasek
 
Vsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsVsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsDhymas Mahendra
 

More Related Content

What's hot

Sun sparc enterprise t5440 server technical presentation
Sun sparc enterprise t5440 server technical presentationSun sparc enterprise t5440 server technical presentation
Sun sparc enterprise t5440 server technical presentationxKinAnx
 
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15MLconf
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
MongoDB on EC2 and EBS
MongoDB on EC2 and EBSMongoDB on EC2 and EBS
MongoDB on EC2 and EBSJared Rosoff
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdfAdrian Huang
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 
Bandwidth manager with Mikrotik 2.0
Bandwidth manager with Mikrotik 2.0Bandwidth manager with Mikrotik 2.0
Bandwidth manager with Mikrotik 2.0Alex Vishnyakov
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Zabbix monitorando o zimbra collaboration 8.8 (1)
Zabbix monitorando o zimbra collaboration 8.8 (1)Zabbix monitorando o zimbra collaboration 8.8 (1)
Zabbix monitorando o zimbra collaboration 8.8 (1)PAULO R. DEOLINDO JUNIOR
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 

What's hot (20)

Sun sparc enterprise t5440 server technical presentation
Sun sparc enterprise t5440 server technical presentationSun sparc enterprise t5440 server technical presentation
Sun sparc enterprise t5440 server technical presentation
 
TMUX Rocks!
TMUX Rocks!TMUX Rocks!
TMUX Rocks!
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15
Ray Richardson, Chief Technology Officer at Simularity at MLconf SEA - 5/01/15
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
MongoDB on EC2 and EBS
MongoDB on EC2 and EBSMongoDB on EC2 and EBS
MongoDB on EC2 and EBS
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" Program
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdf
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
 
第6回「VMware vSphere 5」(2011/08/11 on しすなま!)
第6回「VMware vSphere 5」(2011/08/11 on しすなま!)第6回「VMware vSphere 5」(2011/08/11 on しすなま!)
第6回「VMware vSphere 5」(2011/08/11 on しすなま!)
 
Bandwidth manager with Mikrotik 2.0
Bandwidth manager with Mikrotik 2.0Bandwidth manager with Mikrotik 2.0
Bandwidth manager with Mikrotik 2.0
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Zabbix monitorando o zimbra collaboration 8.8 (1)
Zabbix monitorando o zimbra collaboration 8.8 (1)Zabbix monitorando o zimbra collaboration 8.8 (1)
Zabbix monitorando o zimbra collaboration 8.8 (1)
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux Kernel
 

Similar to VMware response to L1TF (CVE-2018-3646) in vSphere

Spectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQSpectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQDavid Pasek
 
Vsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsVsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsDhymas Mahendra
 
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdidHitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdidChetan Gabhane
 
VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1Louis Göhl
 
Vsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscsVsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscskanth2161
 
Networker integration for optimal performance
Networker integration for optimal performanceNetworker integration for optimal performance
Networker integration for optimal performanceMohamed Sohail
 
VMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptxVMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptxssuser4d1c08
 
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...Vinay Mehta
 
Vsc 71-se-presentation-training
Vsc 71-se-presentation-trainingVsc 71-se-presentation-training
Vsc 71-se-presentation-trainingnarit_ton
 
Vsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guideVsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guideSree Harsha Boyapati
 
ESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release NotesESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release NotesProtect724tk
 
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...Principled Technologies
 
ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes Protect724mouni
 

Similar to VMware response to L1TF (CVE-2018-3646) in vSphere (20)

Spectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQSpectre/Meltdown security vulnerabilities FAQ
Spectre/Meltdown security vulnerabilities FAQ
 
Vsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscsVsphere esxi-vcenter-server-55-setup-mscs
Vsphere esxi-vcenter-server-55-setup-mscs
 
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdidHitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
Hitachi whitepaper-protect-ucp-hc-v240-with-vmware-vsphere-hdid
 
VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1VMware vSphere 4.1 deep dive - part 1
VMware vSphere 4.1 deep dive - part 1
 
Vsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscsVsphere esxi-vcenter-server-601-setup-mscs
Vsphere esxi-vcenter-server-601-setup-mscs
 
Upgrade Guide for ESM 6.8c
Upgrade Guide for ESM 6.8cUpgrade Guide for ESM 6.8c
Upgrade Guide for ESM 6.8c
 
Networker integration for optimal performance
Networker integration for optimal performanceNetworker integration for optimal performance
Networker integration for optimal performance
 
VMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptxVMware Virtualization Basics - Part-1.pptx
VMware Virtualization Basics - Part-1.pptx
 
IBM XIV Gen3 Storage System
IBM XIV Gen3 Storage SystemIBM XIV Gen3 Storage System
IBM XIV Gen3 Storage System
 
Vdi pre req
Vdi pre reqVdi pre req
Vdi pre req
 
Operational Management Challenges for Converged Infrastructure
Operational Management Challenges for Converged Infrastructure Operational Management Challenges for Converged Infrastructure
Operational Management Challenges for Converged Infrastructure
 
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
operationalmanagementchallengesforconvergedinfrastructure-141009170742-conver...
 
Windows Server 2012 Virtualization: Notes from the Field
Windows Server 2012 Virtualization: Notes from the FieldWindows Server 2012 Virtualization: Notes from the Field
Windows Server 2012 Virtualization: Notes from the Field
 
Vsc 71-se-presentation-training
Vsc 71-se-presentation-trainingVsc 71-se-presentation-training
Vsc 71-se-presentation-training
 
Vsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guideVsphere esxi-vcenter-server-55-troubleshooting-guide
Vsphere esxi-vcenter-server-55-troubleshooting-guide
 
Virtualization & tipping point
Virtualization & tipping pointVirtualization & tipping point
Virtualization & tipping point
 
Vmware inter
Vmware interVmware inter
Vmware inter
 
ESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release NotesESM 6.9.1c Patch 2 Release Notes
ESM 6.9.1c Patch 2 Release Notes
 
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
Streamline operations with new and updated VMware vSphere 8.0 features on 16t...
 
ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes ArcMC 2.5.1 Release Notes
ArcMC 2.5.1 Release Notes
 

More from Wafa Hammami

guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfWafa Hammami
 
ITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdfITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdfWafa Hammami
 
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdfITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdfWafa Hammami
 
guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfWafa Hammami
 
bpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdfbpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdfWafa Hammami
 
Sage x3 solution capabilities
Sage x3 solution capabilitiesSage x3 solution capabilities
Sage x3 solution capabilitiesWafa Hammami
 

More from Wafa Hammami (6)

guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdf
 
ITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdfITSMAgilePMFoundationA4infographic.pdf
ITSMAgilePMFoundationA4infographic.pdf
 
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdfITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
ITIL_2011_Mind_Maps training zone Mars 2011(1).pdf
 
guide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdfguide-protect-smartphone07062022.pdf
guide-protect-smartphone07062022.pdf
 
bpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdfbpi-cnil-rgpd_guide-tpe-pme.pdf
bpi-cnil-rgpd_guide-tpe-pme.pdf
 
Sage x3 solution capabilities
Sage x3 solution capabilitiesSage x3 solution capabilities
Sage x3 solution capabilities
 

Recently uploaded

HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 

Recently uploaded (20)

HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 

VMware response to L1TF (CVE-2018-3646) in vSphere

  • 1. VMware response to ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for vSphere: CVE-2018-3646 (55806) Last Updated: 5/2/2019Categories: Security 34 Symptoms This article documents the Hypervisor-Specific Mitigations required to address CVE-2018-3646 (L1 Terminal Fault - VMM) in vSphere. The Update History section of this article will be revised if there is a significant change. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories. Introduction to CVE-2018-3646 Intel has disclosed details on a new class of CPU speculative-execution vulnerabilities known collectively as “L1 Terminal Fault” that can occur on past and current Intel processors (from at least 2009 – 2018) [See Table 1 for supported vSphere processors that are affected]. Like Meltdown, Rogue System Register Read, and "Lazy FP state restore", the “L1 Terminal Fault” vulnerability can occur when affected Intel microprocessors speculate beyond an unpermitted data access. By continuing the speculation in these cases, the affected Intel microprocessors expose a new side-channel for attack. (Note, however, that architectural correctness is still provided as the speculative operations will be later nullified at instruction retirement.) CVE-2018-3646 is one of these Intel microprocessor vulnerabilities and impacts hypervisors. It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor's or another VM's privileged information residing at the same time in the same core's L1 Data cache. Because current Intel processors share the physically-addressed L1 Data Cache across both logical processors of a Hyperthreading (HT) enabled core, indiscriminate simultaneous scheduling of software threads on both logical processors creates the potential for further information leakage. CVE-2018-3646 has two currently known attack vectors which will be referred to here as "Sequential-Context" and "Concurrent-Context.” Both attack vectors must be addressed to mitigate CVE-2018-3646. Attack Vector Summary  Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.  Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core. Mitigation Summary Mitigation of the Sequential-Context attack vector is achieved by vSphere updates and patches. This mitigation is enabled by default and does not impose a significant performance impact. Please see resolution section for details.
  • 2.  Mitigation of the Concurrent-context attack vector requires enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default. Please see resolution section for details. Important: Disabling Intel Hyperthreading in firmware/BIOS (or by using VMkernel.Boot.Hyperthreading) after applying vSphere updates and patches is not recommended and precludes potential vSphere scheduler enhancements and mitigations that will allow the use of both logical processors. As such, disablement of hyperthreading to mitigate the Concurrent-context attack vector will introduce unnecessary operational overhead as hyperthreading may need to be re-enabled in the future. Resolution The mitigation process for CVE-2018-3646 is divided into three phases: 1. Update Phase: Apply vSphere Updates and Patches The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in VMware Security Advisory VMSA-2018-0020. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) which are also documented in VMSA-2018-0020. This mitigation is enabled by default and does not impose a significant performance impact. Note: As displayed in the workflow above, vCenter Server should be updated prior to applying ESXi patches. Notification messages were added in the aforementioned updates and patches to explain that the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. If ESXi is updated prior to vCenter you may receive cryptic notification messages relating to this. After vCenter has been updated, the notifications will be shown correctly. 2. Planning Phase: Assess Your Environment The Concurrent-context attack vector is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler which is included in the updates and patches listed in VMSA-2018-0020. This scheduler is not enabled by default. Enablement of this scheduler may impose a non-trivial performance impact on applications
  • 3. running in a vSphere environment. The goal of the Planning Phase is to understand if your current environment has sufficient CPU capacity to enable the scheduler without operational impact. The following list summarizes potential problem areas after enabling the ESXi Side-Channel-Aware Scheduler:  VMs configured with vCPUs greater than the physical cores available on the ESXi host  VMs configured with custom affinity or NUMA settings  VMs with latency-sensitive configuration  ESXi hosts with Average CPU Usage greater than 70%  Hosts with custom CPU resource management options enabled  HA Clusters where a rolling upgrade will increase Average CPU Usage above 100% Important: The above list is meant to be a brief overview of potential problem areas related to enablement of the ESXi Side-Channel-Aware Scheduler. The VMware Performance Team has provided an in-depth guide as well as performance data in KB55767. It is strongly suggested to thoroughly review this document prior to enablement of the scheduler. Note: It may be necessary to acquire additional hardware, or rebalance existing workloads, before enablement of the ESXi Side-Channel-Aware Scheduler. Organizations can choose not to enable the ESXi Side-Channel- Aware Scheduler after performing a risk assessment and accepting the risk posed by the Concurrent-context attack vector. This is NOT RECOMMENDED and VMware cannot make this decision on behalf of an organization. 3. Scheduler-Enablement Phase: a. Enable the ESXi Side-Channel-Aware Scheduler in ESXi 5.5, 6.0, 6.5, and 6.7 prior to 6.7u2. After addressing the potential problem areas described above during the Planning Phase, the ESXi Side- Channel-Aware Scheduler must be enabled to mitigate the Concurrent-context attack vector of CVE-2018- 3646. The scheduler can be enabled on an individual ESXi host via the advanced configuration option hyperthreadingMitigation. Notes:  Enabling this option will result in the vSphere UI reporting only a single logical processor per physical core; halving the number of logical processors if Hyperthreading was previously enabled. In addition Hyperthreading may be reported as 'Disabled' in various configuration tabs.  The current ESXi Side-Channel-Aware scheduler also addresses CVE-2018-5407. Enabling the ESXi Side-Channel-Aware Scheduler using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab. 4. Click the Settings sub-tab. 5. Under the System heading, click Advanced System Settings. 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name and click the Edit pencil icon. 8. Change the configuration option to true (default: false). 9. Click OK. 10. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME.
  • 4. 2. Click the Manage tab 3. Click the Advanced settings sub-tab 4. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 5. Select the setting by name and click the Edit pencil icon 6. Change the configuration option to true (default: false) 7. Click Save. 8. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler setting using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime value of the HTAware Mitigation Setting by running esxcli system settings kernel list -o hyperthreadingMitigation 3. To enable HT Aware Mitigation, run this command: esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 4. Reboot the ESXi host for the configuration change to go into effect. b. Enable the ESXi Side-Channel-Aware Scheduler (SCAv1) or the ESXi Side-Channel-Aware Scheduler v2 (SCAv2) in ESXi 6.7u2 (13006603) or later Note: ESXi 6.7u2 (13006603) and future release lines of ESXi include the ESXi Side-Channel-Aware Scheduler v2. Prior release lines such as 6.5, 6.0, and 5.5 cannot accommodate this new scheduler. VMware has published a white paper entitled Performance of vSphere 6.7 Scheduling Options which provides a more detailed look into the performance differences between SCAv1 and SCAv2. Please review this document before continuing. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab.
  • 5. 4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to true (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to true (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler (SCAv1) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v TRUE 6. Reboot the ESXi host for the configuration change to go into effect. Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using the vSphere Web Client or vSphere Client 1. Connect to the vCenter Server using either the vSphere Web or vSphere Client. 2. Select an ESXi host in the inventory. 3. Click the Configure tab. 4. Under the System heading, click Advanced System Settings. 5. Click Edit 6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation 7. Select the setting by name 8. Change the configuration option to true (default: false). 9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM 10. Change the configuration option to false (default: true). 11. Click OK. 12. Reboot the ESXi host for the configuration change to go into effect.
  • 6. Enabling the ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXi Embedded Host Client 1. Connect to the ESXi host by opening a web browser to https://HOSTNAME. 2. Click Manage under host navigator 3. Click the Advanced settings Tab 4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation 5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option 6. Change the configuration option to true (default: false) 7. Click Save. 8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM 9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option 10. Change the configuration option to false (default: true). 11. Click Save. 12. Reboot the ESXi host for the configuration change to go into effect. Enable ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXCLI 1. SSH to an ESXi host or open a console where the remote ESXCLI is installed. For more information, see the http://www.vmware.com/support/developer/vcli/. 2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM 3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands: 4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE 5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v FALSE 6. Reboot the ESXi host for the configuration change to go into effect. ESXi 6.7u2 (and later) Scheduler Configuration Summary hyperthreadingMitigation hyperthreadingMitigationIntraVM Scheduler Enabled FALSE TRUE or FALSE Default scheduler (unmitigated) TRUE TRUE SCAv1 TRUE FALSE SCAv2 HTAware Mitigation Tool VMware has provided a tool to assist in performing both the Planning Phase and the Scheduler-Enablement Phase at scale. This tool has been updated to include SCAv2 support and can be found in KB56931 along with detailed instructions on its usage, capabilities, and limitations. Table 1: Affected Intel Processors Supported by ESXi Intel Code Name FMS Intel Brand Names Nehalem-EP 0x106a5 Intel Xeon35xx Series; Intel Xeon55xx Series Lynnfield 0x106e5 Intel Xeon34xx Lynnfield Series Clarkdale 0x20652 Intel i3/i5 Clarkdale Series; Intel Xeon34xx ClarkdaleSeries Arrandale 0x20655 Intel Corei7-620LEProcessor SandyBridge DT 0x206a7 Intel XeonE3-1100Series; Intel XeonE3-1200Series; Intel i7-2655-LESeries; Inteli3-2100 Series
  • 7. Westmere EP 0x206c2 Intel Xeon56xx Series; Intel Xeon36xx Series SandyBridge EP 0x206d7 Intel Pentium 1400 Series; Intel XeonE5-1400Series; Intel XeonE5-1600Series; Intel XeonE5-2400Series; Intel XeonE5-2600Series; Intel XeonE5-4600Series NehalemEX 0x206e6 Intel Xeon65xx Series; Intel Xeon75xx Series Westmere EX 0x206f2 Intel XeonE7-8800Series; Intel XeonE7-4800Series; Intel XeonE7-2800Series Ivy Bridge DT 0x306a9 Intel i3-3200 Series; Inteli7-3500-LE/UE, Inteli7-3600-QE, Intel XeonE3-1200-v2 Series; Intel XeonE3-1100-C-v2 Series; Intel Pentium B925C Haswell DT 0x306c3 Intel XeonE3-1200-v3 Series Ivy Bridge EP 0x306e4 Intel XeonE5-4600-v2 Series; Intel XeonE5-2400-v2 Series; Intel XeonE5-2600-v2 Series; Intel XeonE5-1400-v2 Series; Intel XeonE5-2600-v2 Series Ivy Bridge EX 0x306e7 Intel XeonE7-8800/4800/2800-v2Series Haswell EP 0x306f2 Intel XeonE5-2400-v3 Series; Intel XeonE5-1400-v3 Series; Intel XeonE5-1600-v3 Series; Intel XeonE5-2600-v3 Series; Intel XeonE5-4600-v3 Series Haswell EX 0x306f4 Intel XeonE7-8800/4800-v3Series Broadwell H 0x40671 Intel Corei7-5700EQ; Intel XeonE3-1200-v4 Series Avoton 0x406d8 Intel Atom C2300 Series; Intel Atom C2500 Series; Intel Atom C2700 Series Broadwell EP/EX 0x406f1 Intel XeonE7-8800/4800-v4Series; Intel XeonE5-4600-v4 Series; Intel XeonE5-2600-v4 Series; Intel XeonE5-1600-v4 Series Skylake SP 0x50654 Intel XeonPlatinum8100(Skylake-SP) Series; Intel XeonGold 6100/5100 (Skylake-SP) Series Intel XeonSilver 4100, Bronze 3100 (Skylake-SP) Series Broadwell DE 0x50662 Intel XeonD-1500Series Broadwell DE 0x50663 Intel XeonD-1500Series Broadwell DE 0x50664 Intel XeonD-1500Series Broadwell NS 0x50665 Intel XeonD-1500Series Skylake H/S 0x506e3 Intel XeonE3-1500-v5 Series; Intel XeonE3-1200-v5 Series KabyLake H/S/X 0x906e9 Intel XeonE3-1200-v6 Related InformationKnow more about L1TF (L1 Terminal Fault) here Update History 08/14/18: Initial publication. 10/15/18: Added note to '3. Scheduler-Enablement Phase' to clarify that enablement of the ESXi Side-Channel- Aware Scheduler will result in the vSphere UI reporting only a single logical processor per physical core. 11/02/18: Updated '3. Scheduler-Enablement Phase' to note that CVE-2018-5407 disclosed today is also mitigated through enablement of the current ESXi Side-Channel-Aware Scheduler. 04/11/19: Updated document with information regarding the ESXi Side-Channel-Aware Scheduler Version 2 which was introduced in ESXi 6.7u2. Request a Product Feature To request a new product feature, please contact your VMware representative.