I’ve done some work in testing the performance and mitigation of Meltdown and Spectre on the VMWare platform.

In summary I can confirm that even when patching the hypervisor host, it does not mitigate or automatically protect Guest VMs.  The guests need to be patched as well.

On the performance side (using pgbench for database testing) then I can confirm the significant performance impact to certain workloads as indicated below when the guest OS is patched.   Patching the hypervisor does not appear to significantly impact performance in this case.

ESXi 6.5 Hypervisor Host
Ubuntu 16.04
spectre-meltdown-checker.sh
Performance Slowdown
CVE-2017-5753 Spectre Variant 1CVE-2017-5715 Spectre Variant 2CVE-2017-5754 Meltdown aka Variant 3TPC-BSelect Only
UNPATCHED
UNPATCHED
VulnerableVulnerableVulnerable
UNPATCHEDPATCHEDVulnerableVulnerableNOT Vulnerable25.8%32.4%
PATCHEDUNPATCHEDVulnerableVulnerableVulnerable-7.2%0.8%
PATCHEDPATCHEDVulnerableVulnerableNOT Vulnerable26.0%25.9%

As you can see we are still waiting on mitigations on the Spectre Variant 1 and Variant 2 attacks at the guest OS level.

In order to get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to application software as well.

But in the case of VMware the statement is:

Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM. VMware’s hypervisor products are affected by the known examples of variant 1 and variant 2 vulnerabilities and do require the associated mitigations. Known examples of variant 3 do not affect VMware hypervisor products.

So, at this time running your workload on VMware should be safe, but patching the OS can lead to significant performance issues.

 

Testing methodology

1) 2 Physically identical ESXi host servers

2) Same ESXi6.5 installation.  One node with the additional 3 patches required

3) 2 Virtual Machines.   Base Ubuntu 16.04 server with postgres 9.5.   Second VM identical cone with the Meltdown kernel patch only applied.

4) Vulneability status reported by spectre-meltdown-checker.sh

5) Postgres benchmark pgbench -C -T120 and pgbench -C -T120 -S

6) At the time of running test, then each one run in turn and the only wrokload on the test host at that time

 

Links

Microsoft: https://support.microsoft.com/en-gb/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Ubuntu:  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Vmware: https://kb.vmware.com/s/article/52245

Postgres: https://www.postgresql.org/message-id/20180102222354.qikjmf7dvnjgbkxe@alap3.anarazel.de

Meltdown Checker: https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/

Meltdown, Spectre, Virtual loads and Security

Leave a Reply

Your email address will not be published. Required fields are marked *