Checking and blocking the L1TF vulnerability

Find out how to block the L1TF (L1 Terminal Fault) vulnerability

Last updated 26th February 2019


Following the public release of the L1TF vulnerability ("L1 Terminal Fault" or "Foreshadow"), various procedures and patches were published to minimise exposure to this risk.

This guide will explain how you can block this vulnerability.


  • a user account with vSphere access
  • hyper-threading used on your virtual machines


As a reminder:

Variant Vulnerable Fixed by the patch?
Variant1: L1 Terminal Fault - VMM (CVE-2018-3646) YES NO (but mitigated)
Variant2: L1 Terminal Fault - OS (CVE-2018-3620) NO
Variant3: L1 Terminal Fault - SGX (CVE-2018-3615) NO

L1 Terminal Fault - SGX (CVE-2018-3615) does not affect VMware hypervisors:

For Private Cloud solutions, only SDDC packs are affected by this vulnerability.

For further information, you can refer to our news article.

Mitigation process

It is important to understand that the actions detailed below do not fix the vulnerability.

The actions describe how to disable hyper-threading on your ESXi hosts. But since the L1TF vulnerability requires hyper-threading to work, disabling it protects your infrastructure from being exploited by this vulnerability.

The mitigation process is described in this VMware knowledge base:

This procedure is divided into three distinct steps.

Step 1: Update.

The vCenter update is managed by OVHcloud, however, it is your responsibility to install the patch for ESXi hosts. This is available in the the Update Manager.

You will find the list of patches for ESXi hosts in this document.

After the hosts have been updated, the following alert message will appear in your host summary:

Step 2: Assess environment.

After the ESXi hosts have been updated, the patch has not yet been applied.

It is important to be aware of the potential problems listed in the knowledge base mentioned above, as well as the performance loss observed in this other knowledge base:

Step 3: Enable.

Once you have read about these problems, you can enable the setting that is used to disable hyper-threading, by going to the Advanced System Settings.

A filter is available in the top right-hand corner of the window.

You will need to do this for each host.

To find out more, you can go to step 3 in the ‘Resolution’ section of this VMware knowledge base.

If you do not want to disable hyper-threading on these elements, you can remove the alert message by following this knowledge base.

OVHcloud does not recommend doing this, and cannot be held responsible for this risk or any resulting consequences.

Go further

Join our community of users on

Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community

In accordance with the 2006/112/CE Directive, modified on 01/01/2015, prices exclude VAT. VAT may vary according to the customer's country of residence.