VMware vSphere

VMware hypervisors may be impacted by CVE-2022-40982 (https://downfall.page  ) , but VMware will not release patch for this.

https://blogs.vmware.com/security/2023/08/cve-2022-40982.html

HPE will solve this vulnerability only for gen10 servers:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04510en_us

BL460c Gen9 still supported by vmware:
https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=server&productid=39989&deviceCategory=server&details=1&partner=515&releases=578&keyword=bl460&page=1&display_interval=10&sortColumn=Partner&sortOrder=Asc

So how can we solve this for Gen9 esxi servers?

It's up to the vendor to build, test and release the microcode updates for the CPUs. That being said, this isn't as bad as spectre or meltdown.

The vulnerability is mainly in the AVX instruction set, which is used primarily in HPC workloads from what I understand. So unless you're using those specific instruction sets, it shouldn't be that bad.

It is not only question for vendor because, for example:

Citrix has released hotfix to solve this issue by updating Intel microcode version to IPU 2023.3 :
https://support.citrix.com/article/CTX570473/hotfix-xs82ecu1045-for-citrix-hypervisor-82-cumulative-update-1

XEN has released advisory where is described mitigation for whole hypervisor or for specic untrusted VMs.
http://xenbits.xen.org/xsa/advisory-435.html

As far as I understand the available information the Guest OS is not affected. Is it correct that only the hypervisor could be affected?

Thanks in advance!

Regards

Christian