VMware vSphere CVE-2018-3646 mitigation on a new ESXi host

I reinstalled ESXi v7U3 on a new host in my home lab today and saw this notification below the summary information after adding it to my datacenter & cluster:

So, OK – I recognize this. The error/information warning is for the administrators notice to address CVE-2018-3646 (https://nvd.nist.gov/vuln/detail/CVE-2018-3646), which according to the CVE: “…may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis”.

Makes sense. This is a moderate CVSS score (5.6), and needs to be mitigated. This is one of those mitigations that requires a change to the system settings.

Let’s go ahead and walk-through the process.

Connect to vCenter Server
Select your ESXi host in the inventory
Click the Configure tab
Look under System menu heading
Click Advanced System Settings
Click Edit (on the right side)

I found using the text filter to be the easiest to find the Key/Value I needed to change. So click the filter icon, and type in “vmkernel.boot.hyperthreadingMitigation”. Most of the time you’ll be able to pull up the Key needed just with a minimal amount of searching.

Find the “vmkernel.boot.hyperthreadingMitigation” Key, and where the Value is set to “false”…

Change the Value to “true”…

Click “Save” and reboot your host.

You can also do this via SSH:

Connect to the host using SSH (I use puTTy or MTPuTTY)
Check the current value of the “vmkernel.boot.hyperthreadingMitigation” setting by running:
- esxcli system settings kernel list -o hyperthreadingMitigation

You will see this output:

Enable “vmkernel.boot.hyperthreadingMitigation” by running:
- esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE
Verify by running esxcli system settings kernel list -o hyperthreadingMitigation again…