I had two customers asking today what happened to ESXi 6.5 build 7526125. They downloaded patches and installed them in their test environment. Ready to patch some of their clusters they did a validation and found out that the patch (ESXi650-201801001.zip) has disappeared from the face of the earth. This patch included microcode for Intel processors, and Intel informed VMware that there was potentially an issue with their microcode. As such VMware decided to pull the patch as noted in the KB article. Those who had already downloaded the patches and are manually updating, make sure to delete these. Those who use VUM, make sure to exclude them from your baseline as mentioned in the KB:
Any baseline (including VMware Pre-defined Baseline), that includes one or more of the bulletins that correspond to patch VMSA-2018-0004, would experience the above listed error and hence, will not be able to proceed with the remediation process. For such customers, it is recommended to create dynamic or static baseline excluding the bulletins ESXi650-201801401-BG, ESXi650-201801402-BG, ESXi600-201801401-BG, ESXi600-201801402-BG ,ESXi550-201801401-BG and continue with the remediation process. For more information on Create and Edit Patch or Extension Baselines see vSphere 6.5 document.
Normally I don’t share these types of things anymore, but as I had two people asking on the same day I figured I would as it seems not everyone had seen that the patches were pulled and replaced. If you haven’t downloaded the patches yet, or haven’t patched your systems but want to, read this advisory first and use the patches mentioned it.
Thank you for the heads. We have already appklied the fixed and based on the KB it says
For servers using affected Intel processors (see Table 1.) that have applied ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG VMware recommends the following:
On each affected ESXi host, add the following line in the /etc/vmware/config file:
cpuid.7.edx = “—-:00–:—-:—-:—-:—-:—-:—-”
What would happened if we do not perform the above mentioned changes? would that be any performance or stability issue on the ESXi host?
Our ESXi is a private cloud and only a handful trusted admin have access to the VMs thus we believe our risk for the exposure is low.
I don’t know what the potential impact is, but “stability” could indeed be one of them.
Please review KB52245 for a holistic view on VMware’s response = We don’t comment on Intels “sightings”, we recommend to add the very simple workaround and power cycle VMs.
The decision is up to you.
Paul T says
We have had a weird issue for a couple weeks where guests would crash on only a particular host. The host in question is the only one updated to build 7526125. I am downgrading it as we speak. I also went through and re-initialized all of my VUM instances to purge all downloaded patches. Hopefully this is the issue with my host.
I have opened a SR with Vmware and was told the following
“We can confirm at this time that in terms of the operational aspect of vCenter or ESXi, there is no impact. It is just that it is not secure and it is vulnerable.”
just want to let you know that i unfortunatly downloaded this patch and applied it to my cluster. since 25 days there was no impact on stablility o something. everything works normal…