kool
January 9th, 2018, 22:19
پچ های جدیدی برای مجازی ساز وی ام ویر در رابطه با آسیب پذیری پردازنده ها منتشر شد
https://my.vmware.com/group/vmware/patch#search
ESXi650-201801401-BG (Build 7526125)
ESXi600-201801402-BG (Build 7504637)
ESXi550-201801401-BG (Build 7504623)
---------------------------------------------------------------------
*** لطفا تا انتشار آپدیت جدید صبر کنید، نسخه های فوق با میکرو کدهای قبلی برخی پردازنده ها مشکل دارند و از سایت رسمی نیز حذف شده اند.
** راه حل: در سرورهایی که آپدیت فوق نصب شده اگر دارای پردازنده اینتل (Haswell یا Broadwell) هستند خط زیر را
cpuid.7.edx = "----:00--:----:----:----:----:----:----"
در فایل زیر
/etc/vmware/config
اضافه کرده و سپس سرورهای مجازی را یکبار خاموش و روشن کنند. (بهتره یک کپی از این فایل قبل از ویرایش تهیه کنید)
(پس از انتشار آپدیت جدید خط فوق را حذف کنید!)
** لیست پردازنده های تحت تاثیر:
VCG Processor Series/Family
Encoded CPUID Family. Model. Stepping
Processor SKU Stepping
Microcode Revision
Intel Xeon E3-1200-v3
Intel i3-4300
Intel i5-4500-TE
Intel i7-4700-EQ
0x000306C3
C0
0x00000023
Intel Xeon E5-1600-v2
Intel Xeon E5-2400-v2
Intel Xeon E5-2600-v2;
Intel Xeon E5-4600-v2
0x000306E4
C1/M1/S1
0x0000042A
Intel Xeon E5-1600-v3
Intel Xeon E5-2400-v3
Intel Xeon E5-2600-v3;
Intel Xeon E5-4600-v3
0x000306F2
C0/C1, M0/M1, R1/R2
0x0000003B
Intel Xeon E7-8800/4800-v3
0x000306F4
E0
0x00000010
Intel Xeon E3-1200-v4
0x00040671
G0
0x0000001B
Intel Xeon E5-1600-v4
Intel Xeon E5-2600-v4;
Intel Xeon E5-4600-v4
0x000406F1
B0/M0/R0
0x0B000025
Intel Xeon E7-8800/4800-v4
0x000406F1
B0/M0/R0
0x0B000025
Intel Xeon Gold 61/00/5100, Silver 4100, Bronze 3100 (Skylake-SP) Series
0x00050654
H0
0x0200003A
Intel Xeon Platinum 8100 (Skylake-SP) Series
0x00050654
H0
0x0200003A
Intel Xeon D-1500
0x00050663
V2
0x07000011
Intel Xeon E3-1200-v5
0x000506E3
R0/S0
0x000000C2
Intel Xeon E3-1200-v6
0x000906E9
B0
0x0000007C
---------------------------------------------
For servers using the Intel Haswell and Broadwell processors
that have applied ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG
VMware recommends the following:
On each affected ESXi host, add the following line in the /etc/vmware/config file:
cpuid.7.edx = "----:00--:----:----:----:----:----:----"
This will hide the speculative-execution control mechanism for virtual machines which are power-cycled afterwards on the ESXi host.
This line will need to be removed after applying a future fixed microcode from Intel in order to enable the full guest OS mitigations for CVE-2017-5715.
When convenient, power-cycle virtual machines on the affected ESXi hosts; rebooting of the ESXi host is not required.
Stateless vSphere ESXi Hosts using ESXi 5.5 or 6.0, this line must be re-applied every time the ESXi host reboots. VMware is investigating other options at this time.
For information on how to use a text editor, see Editing files on an ESX host using vi or nano (1020302).
Note: For servers using unaffected processors which have applied either the VMSA-2018-0002 or ESXi patches ESXi650-201801402-BG, ESXi600-201801402-BG or, ESXi550-201801401-BG, no action is required.
The effect of these recommendations for an affected ESXi host is that the speculative execution control mechanism is no longer available to virtual machines even if the server firmware provides the same microcode independently. (For customers who have applied the same microcode updates from their server vendor’s Firmware/BIOS, this recommendation may remove the need to downgrade the firmware. Consult your server vendor directly for guidance.)
VMware is working closely with Intel and the industry to come to a quick resolution of this Intel microcode issue and provide an update to our customers as soon as possible.
https://kb.vmware.com/s/article/52345
https://my.vmware.com/group/vmware/patch#search
ESXi650-201801401-BG (Build 7526125)
ESXi600-201801402-BG (Build 7504637)
ESXi550-201801401-BG (Build 7504623)
---------------------------------------------------------------------
*** لطفا تا انتشار آپدیت جدید صبر کنید، نسخه های فوق با میکرو کدهای قبلی برخی پردازنده ها مشکل دارند و از سایت رسمی نیز حذف شده اند.
** راه حل: در سرورهایی که آپدیت فوق نصب شده اگر دارای پردازنده اینتل (Haswell یا Broadwell) هستند خط زیر را
cpuid.7.edx = "----:00--:----:----:----:----:----:----"
در فایل زیر
/etc/vmware/config
اضافه کرده و سپس سرورهای مجازی را یکبار خاموش و روشن کنند. (بهتره یک کپی از این فایل قبل از ویرایش تهیه کنید)
(پس از انتشار آپدیت جدید خط فوق را حذف کنید!)
** لیست پردازنده های تحت تاثیر:
VCG Processor Series/Family
Encoded CPUID Family. Model. Stepping
Processor SKU Stepping
Microcode Revision
Intel Xeon E3-1200-v3
Intel i3-4300
Intel i5-4500-TE
Intel i7-4700-EQ
0x000306C3
C0
0x00000023
Intel Xeon E5-1600-v2
Intel Xeon E5-2400-v2
Intel Xeon E5-2600-v2;
Intel Xeon E5-4600-v2
0x000306E4
C1/M1/S1
0x0000042A
Intel Xeon E5-1600-v3
Intel Xeon E5-2400-v3
Intel Xeon E5-2600-v3;
Intel Xeon E5-4600-v3
0x000306F2
C0/C1, M0/M1, R1/R2
0x0000003B
Intel Xeon E7-8800/4800-v3
0x000306F4
E0
0x00000010
Intel Xeon E3-1200-v4
0x00040671
G0
0x0000001B
Intel Xeon E5-1600-v4
Intel Xeon E5-2600-v4;
Intel Xeon E5-4600-v4
0x000406F1
B0/M0/R0
0x0B000025
Intel Xeon E7-8800/4800-v4
0x000406F1
B0/M0/R0
0x0B000025
Intel Xeon Gold 61/00/5100, Silver 4100, Bronze 3100 (Skylake-SP) Series
0x00050654
H0
0x0200003A
Intel Xeon Platinum 8100 (Skylake-SP) Series
0x00050654
H0
0x0200003A
Intel Xeon D-1500
0x00050663
V2
0x07000011
Intel Xeon E3-1200-v5
0x000506E3
R0/S0
0x000000C2
Intel Xeon E3-1200-v6
0x000906E9
B0
0x0000007C
---------------------------------------------
For servers using the Intel Haswell and Broadwell processors
that have applied ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG
VMware recommends the following:
On each affected ESXi host, add the following line in the /etc/vmware/config file:
cpuid.7.edx = "----:00--:----:----:----:----:----:----"
This will hide the speculative-execution control mechanism for virtual machines which are power-cycled afterwards on the ESXi host.
This line will need to be removed after applying a future fixed microcode from Intel in order to enable the full guest OS mitigations for CVE-2017-5715.
When convenient, power-cycle virtual machines on the affected ESXi hosts; rebooting of the ESXi host is not required.
Stateless vSphere ESXi Hosts using ESXi 5.5 or 6.0, this line must be re-applied every time the ESXi host reboots. VMware is investigating other options at this time.
For information on how to use a text editor, see Editing files on an ESX host using vi or nano (1020302).
Note: For servers using unaffected processors which have applied either the VMSA-2018-0002 or ESXi patches ESXi650-201801402-BG, ESXi600-201801402-BG or, ESXi550-201801401-BG, no action is required.
The effect of these recommendations for an affected ESXi host is that the speculative execution control mechanism is no longer available to virtual machines even if the server firmware provides the same microcode independently. (For customers who have applied the same microcode updates from their server vendor’s Firmware/BIOS, this recommendation may remove the need to downgrade the firmware. Consult your server vendor directly for guidance.)
VMware is working closely with Intel and the industry to come to a quick resolution of this Intel microcode issue and provide an update to our customers as soon as possible.
https://kb.vmware.com/s/article/52345