Language :

Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)

 Click here to view full document
Important: This KB was only relevant for organizations that had deployed ESXi650-201801402-BG, ESXi600-201801402-BG, and/or ESXi550-201801401-BG which were pulled down on 01/12/18. VMware’s recommendation is to instead follow the procedure laid out in Hypervisor-Assisted Guest Mitigation for branch target injection. Note that ESXi650-201803401-BG, ESXi600-201803401-BG, and ESXi550-201803401-BG will remove the workaround line below from /etc/vmware/config when applied. Host profiles in ESXi 6.5 may re-introduce the workaround under certain circumstances, see KB52460 for more information. This KB article (52345) will remain published for historical purposes.

Although VMware strongly recommends that customers obtain microcode patches through their hardware vendor, as an aid to customers, VMware also included the initial microcode patches in ESXi650-201801402-BG, ESXi600-201801402-BG, and ESXi550-201801401-BG. Intel has notified VMware of recent sightings that may affect some of the initial microcode patches that provide the speculative execution control mechanism for a number of Intel processors (see Table 1.) The issue can occur when the speculative execution control is actually used within a virtual machine by a patched OS. As a result, VMware is delaying new releases of microcode updates while it works with Intel to resolve microcode patch issues as quickly as possible.

This document is focused on Intel microcode issues and VMware’s recommendations. Please review KB52245: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) for a holistic view on VMware’s response to these issues.
Note: ESXi patches associated with VMSA-2018-0004 have been pulled down from the online and offline portal.
  1. VUM Customer who has already downloaded the patches associated with VMSA-2018-0004 would continue to persist in the VUM depot even after the EP is rolled-back. But, if customer tries to remediate the corresponding patch baseline created against the bulletins of these patches, following error would be encountered - "Cannot download software packages from patch source".
Any baseline (including VMware Pre-defined Baseline), that includes one or more of  the bulletins that  correspond to patch VMSA-2018-0004, would experience the above listed error and hence, will not be able to proceed with the remediation process. For such customers, it is recommended to create dynamic or static baseline excluding the bulletins ESXi650-201801401-BG, ESXi650-201801402-BG,  ESXi600-201801401-BG,  ESXi600-201801402-BG ,ESXi550-201801401-BG and continue with the remediation process. For more information on Create and Edit Patch or Extension Baselines see vSphere 6.5 document.
  1. ​For Customers who have configured UMDS for offline patching, the patches associated with VMSA-2018-0004 continue to persist in the UMDS depot directory even after roll-back and can be patched successfully from the same. It is recommended that such customers manually remove the binaries/VIBs  from the UMDS directory or direct the downloads to the new UMDS directory location to be in-sync with VMware’s online depot. For more information see How to configure the UMDs download location.
  2. Customers who use Stateless boot through Autodeploy will have to update the existing rule to point to the image profile associated with VMSA-2018-0002 instead. If you continue without updating rule, the Autodeploy would stateless boot into the image associated with VMSA-2018-0004 which is not intended.
For ESXi hosts that have not yet applied one of the following patches ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG, VMware recommends not doing so. It is recommended to apply the patches listed in VMSA-2018-0002 instead.

For servers using affected Intel processors (see Table 1.) that have applied ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG VMware recommends the following:

  • On each affected ESXi host, add the following line in the /etc/vmware/config file:
cpuid.7.edx = "----:00--:----:----:----:----:----:----"
  • This will hide the speculative-execution control mechanism for virtual machines which are power-cycled afterwards on the ESXi host.
  • This line will need to be removed after applying a future fixed microcode from Intel in order to enable the full guest OS mitigations for CVE-2017-5715.
  • When convenient, power-cycle virtual machines on the affected ESXi hosts; rebooting of the ESXi host is not required.
  • Stateless vSphere ESXi Hosts using ESXi 5.5 or 6.0, this line must be re-applied every time the ESXi host reboots. VMware is investigating other options at this time.
  • For information on how to use a text editor, see Editing files on an ESX host using vi or nano (1020302).
The effect of these recommendations for an affected ESXi host is that the speculative execution control mechanism is no longer available to virtual machines even if the server firmware provides the same microcode independently. (For customers who have applied the same microcode updates from their server vendor’s Firmware/BIOS, this recommendation may remove the need to downgrade the firmware. Consult your server vendor directly for guidance.)

VMware is working closely with Intel and the industry to come to a quick resolution of this Intel microcode issue and provide an update to our customers as soon as possible.

Table 1:
 VCG Processor Series/FamilyEncoded CPUID Family. Model. SteppingProcessor SKU Stepping Microcode Revision
 Intel Xeon E3-1200-v3
Intel i3-4300
Intel i5-4500-TE
Intel i7-4700-EQ
0x000306C3C0 0x00000023
 Intel Xeon E5-1600-v2
Intel Xeon E5-2400-v2
Intel Xeon E5-2600-v2;
Intel Xeon E5-4600-v2
0x000306E4C1/M1/S1 0x0000042A
 Intel Xeon E5-1600-v3
Intel Xeon E5-2400-v3
Intel Xeon E5-2600-v3;
Intel Xeon E5-4600-v3
0x000306F2C0/C1, M0/M1, R1/R2 0x0000003B
 Intel Xeon E7-8800/4800-v30x000306F4E0 0x00000010
 Intel Xeon E3-1200-v40x00040671G0 0x0000001B
 Intel Xeon E5-1600-v4
Intel Xeon E5-2600-v4;
Intel Xeon E5-4600-v4
0x000406F1B0/M0/R0 0x0B000025
 Intel Xeon E7-8800/4800-v40x000406F1B0/M0/R0 0x0B000025
 Intel Xeon Gold 61/00/5100, Silver 4100, Bronze 3100 (Skylake-SP) Series0x00050654H0 0x0200003A
 Intel Xeon Platinum 8100  (Skylake-SP) Series0x00050654H0 0x0200003A
 Intel Xeon D-15000x00050663V2 0x07000011
 Intel Xeon E3-1200-v50x000506E3R0/S0 0x000000C2
 Intel Xeon E3-1200-v60x000906E9B0 0x0000007C


01/23/18: Updated document to reflect that all vSphere supported Intel-based processors listed in Table 1. are affected.
03/20/18: Updated document with information on VMSA-2018-0004.3 major updates.
Matt Hampton
9/23/2019 7:20 PM
Matt Hampton