L1 Terminal Fault Vulnerability AKA Foreshadow

Here we go again: The L1 Terminal Fault Vulnerability AKA “Foreshadow” was announced by Intel last week, and this has potentially greater impact on Public Cloud (Amazon, Azure, Google) users than any of the previously exposed vulnerabilities.

What it is:

At its most simple, Foreshadow allows the possibility that one VM (malicious) can read the memory of another.

Who it impacts:

If you run your own vSphere, Foreshadow probably doesn’t mean too much to you, so long as all of your VMs are of approximately trust level (For example: all VMs part of the same Active Directory belonging to your organization)

If you are a client of the Public Cloud, Foreshadow could have potentially devastating impacts and you need to make sure sensitive data runs on systems which are remediated against Foreshadow! This may cause an up to 30% reduction in the performance of your Public Cloud based systems which have been remediated against Foreshadow.

How you fix it:

To fully fix Foreshadow, you need to apply patches (OS and Hypervisor) and basically disable Hyperthreading on all CPUs! In vSphere, this is basically accomplished by enabling ESXi Side-Channel-Aware Scheduler. IF YOU DO SO, this will cause an approximately 30% hit to performance! As long as all of your VMs can be considered to be of the same Trust level, we recommend applying VMware Patches, but NOT ENABLING ESXi Side-Channel-Aware Scheduler! If you do not enable ESXi Side-Channel-Aware Scheduler, impact to performance should be negligible.

foreshadow chart

What VMsources is doing about it:

We encapsulate all systems, internal and Client, to unique Private Cloud resources within the same Trust Level and we have applied the ESXi Side-Channel-Aware Scheduler. Because we are vastly overprovisioned, performance of your VMsources-based systems will not be negatively affected from the Hypervisor.

Please schedule an appointment if you would like VMsources to remediate your systems with the latest VMware patches addressing Foreshadow, and to evaluate if you need to enable ESXi Side-Channel-Aware Scheduler.

Call: 215-764-6442

Email: john@vmsources.com andrew@vmsources.com brian@vmsources.com

 

Sincerely,

John L. Borhek, VCP

6.5….

Lead solutions Architect

VMsources Group Inc.