I’ve done some work in testing the performance and mitigation of Meltdown and Spectre on the VMWare platform.
In summary I can confirm that even when patching the hypervisor host, it does not mitigate or automatically protect Guest VMs. The guests need to be patched as well.
On the performance side (using pgbench for database testing) then I can confirm the significant performance impact to certain workloads as indicated below when the guest OS is patched. Patching the hypervisor does not appear to significantly impact performance in this case.
| ESXi 6.5 Hypervisor Host | Ubuntu 16.04 | spectre-meltdown-checker.sh | Performance Slowdown | |||
|---|---|---|---|---|---|---|
| CVE-2017-5753 Spectre Variant 1 | CVE-2017-5715 Spectre Variant 2 | CVE-2017-5754 Meltdown aka Variant 3 | TPC-B | Select Only | ||
| UNPATCHED | UNPATCHED | Vulnerable | Vulnerable | Vulnerable | ||
| UNPATCHED | PATCHED | Vulnerable | Vulnerable | NOT Vulnerable | 25.8% | 32.4% |
| PATCHED | UNPATCHED | Vulnerable | Vulnerable | Vulnerable | -7.2% | 0.8% |
| PATCHED | PATCHED | Vulnerable | Vulnerable | NOT Vulnerable | 26.0% | 25.9% |
As you can see we are still waiting on mitigations on the Spectre Variant 1 and Variant 2 attacks at the guest OS level.
In order to get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to application software as well.
But in the case of VMware the statement is:
Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM. VMware’s hypervisor products are affected by the known examples of variant 1 and variant 2 vulnerabilities and do require the associated mitigations. Known examples of variant 3 do not affect VMware hypervisor products.
So, at this time running your workload on VMware should be safe, but patching the OS can lead to significant performance issues.
Testing methodology
1) 2 Physically identical ESXi host servers
2) Same ESXi6.5 installation. One node with the additional 3 patches required
3) 2 Virtual Machines. Base Ubuntu 16.04 server with postgres 9.5. Second VM identical cone with the Meltdown kernel patch only applied.
4) Vulneability status reported by spectre-meltdown-checker.sh
5) Postgres benchmark pgbench -C -T120 and pgbench -C -T120 -S
6) At the time of running test, then each one run in turn and the only wrokload on the test host at that time
Links
Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
Vmware: https://kb.vmware.com/s/article/52245
Postgres: https://www.postgresql.org/message-id/20180102222354.qikjmf7dvnjgbkxe@alap3.anarazel.de
Meltdown Checker: https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/