L1 Terminal Fault (L1TF) Patching Considerations

On Tuesday August 14th, Intel Released their news on the latest vulnerability L1 Terminal Fault (L1TF) or ForeShadow. In response to this VMware released vSphere patches to address the issues. Since then I have seen quite a few threads come up and thought i would address them from a patching perspective.

I wanted to clarify when remediating your vSphere you should make sure to address the update sequence in the correct order. vCenter Server MUST be patched prior to updating ESXi.

L1TF Remediation Order

In some cases I have seen users patching ESXi before their vCenter Server resulting in generic errors such as xxx esx.problem.hyperthreading.unmitigated.formatOnHost not found xxx or esx.problem.hyperthreading.unmitigated

KB57374 has been created to inform users on details of this error.

Patched Using Incorrect Order

However if done properly, once ESXi is patched after vCenter Server you would see the following warning on your ESXi host.

Patched Using Proper Order

Once you have performed the remediation on the hosts to correct all aspects that warning will now go away.

Please stay tuned to KB55806 and VMSA-2018-0020 for any updates to the remediation steps.

Share Comments