OVH Guides

Checking and blocking the L1TF vulnerability

Find out how to block the L1TF (L1 Terminal Fault) vulnerability

Last updated 26th February 2019

Objective

Following the public release of the L1TF vulnerability ("L1 Terminal Fault" or "Foreshadow"), various procedures and patches were published to minimise exposure to this risk.

This guide will explain how you can block this vulnerability.

Requirements

  • a user account with vSphere access
  • hyper-threading used on your virtual machines

Instructions

As a reminder:

Variant Vulnerable Fixed by the patch?
Variant1: L1 Terminal Fault - VMM (CVE-2018-3646) YES NO (but mitigated)
Variant2: L1 Terminal Fault - OS (CVE-2018-3620) NO
Variant3: L1 Terminal Fault - SGX (CVE-2018-3615) NO

L1 Terminal Fault - SGX (CVE-2018-3615) does not affect VMware hypervisors: https://kb.vmware.com/s/article/54913

For Private Cloud solutions, only SDDC packs are affected by this vulnerability.

For further information, you can refer to our news article.

Mitigation process

It is important to understand that the actions detailed below do not fix the vulnerability.

The actions describe how to disable hyper-threading on your ESXi hosts. But since the L1TF vulnerability requires hyper-threading to work, disabling it protects your infrastructure from being exploited by this vulnerability.

The mitigation process is described in this VMware knowledge base: https://kb.vmware.com/s/article/55806.

This procedure is divided into three distinct steps.

Step 1: Update.

The vCenter update is managed by OVH, however, it is your responsibility to install the patch for ESXi hosts. This is available in the the Update Manager.

You will find the list of patches for ESXi hosts in this document.

After the hosts have been updated, the following alert message will appear in your host summary:

Step 2: Assess environment.

After the ESXi hosts have been updated, the patch has not yet been applied.

It is important to be aware of the potential problems listed in the knowledge base mentioned above, as well as the performance loss observed in this other knowledge base: https://kb.vmware.com/s/article/55767.

Step 3: Enable.

Once you have read about these problems, you can enable the setting that is used to disable hyper-threading, by going to the Advanced System Settings.

A filter is available in the top right-hand corner of the window.

You will need to do this for each host.

To find out more, you can go to step 3 in the ‘Resolution’ section of this VMware knowledge base.

If you do not want to disable hyper-threading on these elements, you can remove the alert message by following this knowledge base.

OVH does not recommend doing this, and cannot be held responsible for this risk or any resulting consequences.

Go further

Join our community of users on https://community.ovh.com/en/.