VMware announced vSAN 8 Update 2 and an exciting new offering, VMware vSAN Max. We welcome Pete Keohler to discuss the details this week on The Virtually Speaking Podcast.
VMware is gearing up for a significant update with vSphere 8 Update 2, and it’s set to make waves in the realm of virtualization. Anticipated for release in Q3 2023, this update promises to bring exciting changes that will have a positive impact on the daily routines of VMware administrators.
Defect ID – CSCwf30468
Cisco UCS M5 C-series servers are affected by vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
- CVE-2022-40982—Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure through local access
- CVE-2022-43505—Insufficient control flow management in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable denial of service through local access
Workaround EVC Intel “Broadwell” Generation or gather_data_sampling
https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh# sh spectre-meltdown-checker.sh --variant downfall --explain
EVC Intel “Skylake” Generation
CVE-2022-40982 aka 'Downfall, gather data sampling (GDS)' > STATUS: VULNERABLE (Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation) > SUMMARY: CVE-2022-40982:KO
EVC Intel “Broadwell” Generation
CVE-2022-40982 aka 'Downfall, gather data sampling (GDS)' > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) > SUMMARY: CVE-2022-40982:OK
Mitigation with an updated kernel
When an update of the microcode is not available via a firmware update package, you may update the Kernel with a version that implements a way to shut off AVX instruction set support. It can be achieved by adding the following kernel command line parameter:
When the mitigation is enabled, there is additional latency before results of the gather load can be consumed. Although the performance impact to most workloads is minimal, specific workloads may show performance impacts of up to 50%. Depending on their threat model, customers can decide to opt-out of the mitigation.
Intel® Software Guard Extensions (Intel® SGX)
There will be an Intel SGX TCB Recovery for those Intel SGX-capable affected processors. This TCB Recovery will only attest as up-to-date when the patch has been FIT-loaded (for example, with an updated BIOS), Intel SGX has been enabled by BIOS, and hyperthreading is disabled. In this configuration, the mitigation will be locked to the enabled state. If Intel SGX is not enabled or if hyperthreading is enabled, the mitigation will not be locked, and system software can choose to enable or disable the GDS mitigation.
- VMware hypervisors may be impacted by CVE-2022-40982 (https://downfall.page ) , but VMware will not release patch for this.
- Intel’s Downfall Mitigations Drop Performance Up to 39%, Tests Show
- VMware Response to Gather Data Sampling (GDS) – Transient Execution Side-channel vulnerability impacting Intel processors (CVE-2022-40982)
- VMware hypervisors may be impacted by CVE-2022-40982 if they are utilizing an impacted Intel processor, but hypervisor patches are not required to resolve the vulnerability
- proof-of-concept attack that steal AES keys from OpenSSL https://github.com/flowyroll/downfall/tree/main/POC
Multi-TEP High Availability
Introduction A tunnel end point (TEP) is a virtual interface that can serve as an uplink for overlay traffic. On an ESXi host, a TEP is tightly associated to the physical interface through which it sends and receives its traffic. In the current TEP high availability (TEP HA) model, a TEP never fails. If the link of the ESXi interface to which a TEP is associated goes down, the TEP is simply moved
Are you ready to embark on an exciting journey at VMware Explore 2023 in Las Vegas? Join us as we hear directly from the VMware Explore Events Team, your trusted guides, on how to plan and navigate your way through this exceptional event.
Curious about the upcoming #hackathon at #VMwareExplore? We’ve got you covered. Join our informative session where you’ll learn all the ins and outs. Discover how to participate, what to expect, and much more. You can still participate! @vmwarecode