UPDATE: Please see validating compliance of VMSA-2018-0004 (Spectre) on ESXi and VM
VMware has published VMSA-2018-0002 that addresses vulnerability for Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715) and tells you which patch should be installed.
Along with this patch, you also need the required BIOS update. However, when managing a large VMware environment it’s hard to keep track of what has been patched. It’s also hard to remember if BIOS has been updated.
For this reason, I have added a new script to vDocumentation that will check compliance against VMSA-2018-0002 and the required BIOS update.
Version 2.3.0 now includes a script Cmdlet (Get-ESXSpeculativeExecution) that will aide in validating your environment. If you are new to vDocumentation, please make sure to check the GitHub project page on how to install it from the PowerShell Gallery. (https://github.com/arielsanchezmora/vDocumentation).
Run “get-help Get-ESXSpeculativeExecution –full” to see all parameters and switches available; below are the most frequently used:
- The Script will validate ESXi versions 5.5, 6.0, and 6.5
- You can validate ESXi only (-PatchCompliance switch)
- You can validate BIOS only (-BIOSCompliance switch)
- You can validate both (specify no switch)
- –esxi to validate a host
- -cluster to validate a cluster
- -datcenter to validate a datacenter
- No parameter to run against the entire vCenter
- -exportExcel to export to Excel
If we run “Get-ESXSpeculativeExecution -esxi labesx001.local” , this is the output:
If we run “Get-ESXSpeculativeExecution –exportexcel”, we will generate an Excel sheet with 2 TABs: Patch_Compliance and BIOS_Compliance.
BIOS Version Check
The BIOS Compliance validation relies on accessing the BIOSUpdates.csv file, which is hosted on the project page: https://raw.githubusercontent.com/edmsanchez/vDocumentation/master/powershell/vDocumentation/BIOSUpdates.csv
If you don’t have access to the Internet you can download the CSV file locally and specify it using the –inputfile parameter. The CSV file contains HP and Dell models, with updates from these these official sources:
If you’re working on something other than HP or Dell, do let me know via the #vdocumentation Vmware code Slack channel, Twitter or the GitHub webpage and we can update the CSV file with your model.
The SafeFromSpectre field on the BIOS_Compliance Tab will be True if both ESXi and BIOS have been patched (see below). This indicates you have addressed the vulnerability completely.