Some time back, VMware has updated one of KBs on “Hypervisor-Assisted Guest Mitigation for branch target injection”. Please take a look at this KB here. In this KB, there is one important section on “how to confirm a host has both patched microcode and patched VMware hypervisor?” In fact, there are multiple ways to confirm it and one of the ways is specified in the KB itself i.e. scanning VM vmware.log file for new cpuids. Last time, I had automated exactly the same way using PowerCLI. Since there is a very handy host level vSphere API property available to confirm these patches, I thought to write a quick pyVmomi script. This will be very handy for people who prefer pyVmomi. Also as it uses native vSphere APIs, it will be faster than its PowerCLI equivalent.
This script i.e. hosts_patched.py available on my git repo as well.
from pyVim.connect import SmartConnect, Disconnect
from pyVmomi import vim
# Script to confirm whether EVC cluster is patched or not for Spectre vulenerability.
""" Get arguments from CLI """
parser = argparse.ArgumentParser(
description=’Arguments for talking to vCenter’)
help=’vSpehre service to connect to’)
help=’Port to connect on’)
help=’Username to use’)
help=’Password to use’)
help=’Name of the cluster you wish to check’)
args = parser.parse_args()
if not args.password:
args.password = getpass.getpass(
prompt=’Enter vCenter password:’)
# Below method helps us to get MOR of the object (vim type) that we passed.
def get_obj(content, vimtype, name):
obj = None
container = content.viewManager.CreateContainerView(content.rootFolder, vimtype, True)
for c in container.view:
if name and c.name == name:
obj = c
args = get_args()
si= SmartConnect(host=args.host, user=args.user, pwd=args.password,sslContext=s)
cluster = get_obj(content,[vim.ClusterComputeResource],cluster_name)
print ("Cluster not found, please enter correct EVC cluster name")
print ("Cluster Name:"+cluster.name)
# Get all the hosts available inside cluster
hosts = cluster.host
#Iterate through each host to get MaxEVC mode supported on the host
for host in hosts:
feature_capabilities = host.config.featureCapability
for capability in feature_capabilities:
if(capability.key in ["cpuid.STIBP", "cpuid.IBPB","cpuid.IBRS"] and capability.value=="1"):
print ("No new cpubit found, hence "+host.name+" is NOT patched")
print ("New CPU bit is found, hence "+host.name+" is patched")
This script takes VCIP, username, password and cluster-name (with or without EVC) as parameter. Let us take a look at below output.
vmware@localhost:~$ python hosts_patched.py -s 10.192.30.40 -u Administrator@vsphere.local -c EVCCluster
Enter vCenter password:
New CPU bit is found, hence 10.20.43.35 is patched
No new cpubit found, hence 10.20.43.36 is NOT patched
Based on above script, it is clear that there are 2 hosts inside the cluster and only one of them has exposed new cpuids, that confirms it is patched with both ESXi hypervisor & microcode.
1. I highly recommend you take a look at last post on EVC cluster.
2. Empty EVC cluster issue discussed here is fixed with latest vCenter Patches
3. My PowerCLI script to achieve the same
4. Tutorial on getting started pyVmomi
I hope you enjoyed this post, let me know if you have any questions/doubts.
Vikas Shitole is a Staff engineer 2 at VMware India R&D. He currently focusses on vCenter server in general, vSphere with Tanzu, VCF and partly VMware cloud. He is passionate about VMware customers & automation around VMware technologies. He has been a vExpert since last 9 years (2014-22) in row for his significant community contributions around VMware. He is also part of BU driven vExpert sub-programs i.e. vExpert App modernization, vExpert VMware Cloud on AWS & vExpert PRO as well. He is author of 2 VMware flings & holds multiple technology certifications. He has been speaker at International conferences such as VMworld Europe, VMworld USA & was designated VMworld 2018 blogger as well.
In addition, he is passionate cricketer, bicycle rider & aspiring Ironman 70.3. He also enjoys learning about fitness & nutrition.