This article documents the Hypervisor-Assisted Guest Mitigations  enablement process required to address Microarchitectural Data Sampling (MDS) Vulnerabilities identified by CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091 in vSphere.  

  

In addition to the Hypervisor-Assisted Guest Mitigations described in this article, Hypervisor-Specific Mitigations and Operating System-Specific Mitigations are also required. These additional mitigations are documented VMSA-2019-0008.

VMware vSphere ESXi 6.5
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.7

To enable hardware support for MD_CLEAR in vCenter Server and ESXi, the following steps should be followed: 
 
Note: Ensure vCenter Server is updated first, for more information, see the vMotion and EVC Information section. 

1. Upgrade to the versions of vCenter Server listed in section 3b. of VMSA-2019-0008. 
2. Apply the ESXi patches listed in section 3b. of VMSA-2019-0008. Note that per ESXi version multiple patches are listed that are required. These patches can both be applied at once so that only one reboot of the host is required. 

To enable hardware support for MD_CLEAR in Workstation/Fusion, the following steps should be followed:  

1. Deploy and/or update Workstation/Fusion to the versions listed in VMSA-2019-0008 
2. Apply the Microcode/BIOS updates for MDS from your platform vendor. 

After enabling hardware support for MD_CLEAR, for each virtual machine enable MDS mitigation via the following steps:  

1. Apply the applicable MDS security patches for your Guest OS which have been made available from the OS vendor. 
2. Ensure that your VMs are using Virtual Hardware Version 9 or higher. See KB1010675 for details on Virtual Hardware versions and requirements. For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID. 
3. Power Off and then Power On the virtual machine (Restart is insufficient). 

vMotion and EVC Information 

An ESXi host that is running a patched vSphere hypervisor with updated microcode will see new CPU features that were not previously available. 
 
These new features will be exposed to all Virtual Hardware Version 9+ VMs that are powered-on by that host. Because these virtual machines now see additional CPU features, vMotion to an ESXi host lacking the microcode or hypervisor patches applied will be prevented. 
 
The vCenter patches enable vMotion compatibility to be retained within an EVC cluster. 
 
In order to maintain this compatibility the new features are hidden from guests within the cluster until all hosts in the cluster are properly updated.  At that time, the cluster will automatically upgrade its capabilities to expose the new features. Unpatched ESXi hosts will no longer be admitted into the EVC cluster. 
 
After vSphere has been patched for MDS, customers utilizing the per-VM EVC feature, introduced in Hardware Version 14 and newer, will also need to refresh the EVC mode of the VM. This refresh will allow the per-VM EVC mode of the VM to recognize the new CPU features introduced from the patches. Not performing this step may result in the VM running less securely than desired. 
 
From the UI: to refresh the per-VM EVC feature of the VM, navigate to the virtual machine. Under the Configure tab, select VMware EVC. Click Edit to bring up the current EVC selection, then click OK. 
 
Confirmation of Correct Operation 

To confirm a host has both VMware hypervisor and updated microcode, use the following steps:  

1. Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later. 
2. Examine the vmware.log file for that VM and look for the following entry:  

3. Any of the above log entries indicate that both the CPU microcode and hypervisor are properly updated. 

To confirm end to end operation including guest OS enablement of hardware support for MDS mitigation, check with your OS vendor.