A friendly reminder to patch your stuff. (VUM makes it easy!)

21 Spice ups

Thanks for sharing!

Thanks for posting. Has anyone actually been able to download the patch? I don’t see it in VUM, nor do I see it under my downloads from VMWare…the latest date I see is from December.

Those existing patches did come out In Dec.

2 Spice ups

Still no patch for 5.5

A question my boss has been asking which i don’t really have a good answer for is do you really need to patch the guest OS in a virtualized environment?

I would guess not since the guest OS never works directly with the physical CPUs.

Given that this can decrease performance, would patching a hypervisor and a guest magnify the decrease in performance?

  1. Meltdown does NOT impact ESXi directly. Meltdown was the primary one with a performance penalty.

  2. The initial patches for SPECTRE were released dec 19th note one of the CVE is missing still for 5.5 (No published ETA)

The guests still need to be patched (that’s noted on the blog). While VMs can’t attack each other you could have in guest privilege escalations.

There are also firmware patches server vendors have released and a registry setting to set In windows. Intel mentioned more stuff will come out next week in their press release.

I can’t speculate about performance hits, but given the hypervisor isn’t taking a hit for meltdown patching I’m not sure why you would think patching the guest would make this any worse than patching on bare metal. Other hypervisor that were impacted might be an issue.

Get ready to patch stuff, and pay attention for advisories. Basically what you should be doing anyways.