pyVmomi script to confirm Speculative Store Bypass Disable (SSBD) mitigation on vSphere patches

Few hours back, VMware released vSphere patches to mitigate “Speculative Store Bypass Disable (SSBD)” security issue. Please take a look at this KB for more details. In this post, as I did in the past, I am going to provide you a pyVmomi script to confirm whether vCenter server, ESXi hypervisor and microcode patches are applied or not to mitigate this critical security issue. Before we look into script, one of the important points you should note that, these latest vSphere (both vCenter server and ESXi) patches  are cumulative &  if you haven’t applied earlier spectre vulnerability patches [released as on 20th March] yet, you can directly apply these patches to get earlier fixes as well.

pyVmomi script to confirm SSBD mitigation

Notes:

  • This script works for all vSphere releases i.e. 5.5, 6.0, 6.5, 6.7.
  • This script i.e. confirm_ssbd_patch.py is available on my github repo as well.
  • Since this patch is cumulative, focus in this script is only SSBD cpubit
  • This script takes VCIP, username, password and cluster-name (with or without EVC) as parameter.
  • Please take a note of line #72 on SSL/TLS protocol
  • As specified in the KB, you need to perform VM power-cycle post patch application.
# Author: Vikas Shitole
# Product: vCenter server
# Description: Script to confirm whether vCenter server, hypervisor and microcode patches are applied or not : vCenter/ESXi patches for Speculative Store Bypass Disable vulnerability.
# Reference: https://kb.vmware.com/s/article/55111
# How to setup pyVmomi environment?: 
# Linux: http://vthinkbeyondvm.com/how-did-i-get-started-with-the-vsphere-python-sdk-pyvmomi-on-ubuntu-distro/
#Windows: http://vthinkbeyondvm.com/getting-started-with-pyvmomi-on-windows-supports-vsphere-6-7/

from pyVim.connect import SmartConnect, Disconnect
from pyVmomi import vim
import atexit
import ssl
import sys
import argparse
import getpass

# Script to confirm whether EVC cluster is patched or not for Spectre vulenerability.

def get_args():
    """ Get arguments from CLI """
    parser = argparse.ArgumentParser(
        description='Arguments for talking to vCenter')

    parser.add_argument('-s', '--host',
                        required=True,
                        action='store',
                        help='vSpehre service to connect to')

    parser.add_argument('-o', '--port',
                        type=int,
                        default=443,
                        action='store',
                        help='Port to connect on')

    parser.add_argument('-u', '--user',
                        required=True,
                        action='store',
                        help='Username to use')

    parser.add_argument('-p', '--password',
                        required=False,
                        action='store',
                        help='Password to use')

    parser.add_argument('-c', '--cluster',
                        required=True,
                        action='store',
                        default=None,
                        help='Name of the cluster you wish to check')	

    args = parser.parse_args()

    if not args.password:
        args.password = getpass.getpass(
            prompt='Enter vCenter password:')

    return args


# Below method helps us to get MOR of the object (vim type) that we passed.
def get_obj(content, vimtype, name):
 obj = None
 container = content.viewManager.CreateContainerView(content.rootFolder, vimtype, True)
 for c in container.view:
  if name and c.name == name:
   obj = c
   break
 container.Destroy()
 return obj

args = get_args()
s=ssl.SSLContext(ssl.PROTOCOL_SSLv23) # For VC 6.5/6.0 s=ssl.SSLContext(ssl.PROTOCOL_TLSv1)
s.verify_mode=ssl.CERT_NONE
si= SmartConnect(host=args.host, user=args.user, pwd=args.password,sslContext=s)
content=si.content
cluster_name=args.cluster

print ("-------------------------------------")
#Check whether vCenter server is patched or not
supported_evc_mode=si.capability.supportedEVCMode
# It is not required to check "ivy-bridge" EVC mode, you can choose any EVC mode from "intel-penryn" onwords.
for evc_mode in supported_evc_mode:
    if(evc_mode.key == "intel-ivybridge"):
        ivy_masks=evc_mode.featureMask
        break

vCenter_patched=False
for capability in ivy_masks:
  if(capability.key in ["cpuid.SSBD"] and capability.value=="Val:1"):
   print ("Found::"+capability.key)
   vCenter_patched=True
if(not vCenter_patched):
  print ("No new cpubit found, hence vCenter server is NOT patched")
else:
  print ("New CPU bit is found, hence vCenter Server is patched")
print ("Current vCenter server build::"+si.content.about.fullName)

#Cluster object
cluster = get_obj(content,[vim.ClusterComputeResource],cluster_name)
if(not cluster):
 print ("Cluster not found, please enter correct EVC cluster name")
 quit()

print ("Cluster Name:"+cluster.name)

# Get all the hosts available inside cluster
hosts = cluster.host

#Iterate through each host to get MaxEVC mode supported on the host
for host in hosts:
 print ("----------------------------------")
 print ("Host:"+host.name)
 feature_capabilities = host.config.featureCapability
 flag=False
 for capability in feature_capabilities:
  if(capability.key in ["cpuid.SSBD"] and capability.value=="1"):
   print ("Found::"+capability.key)
   flag=True
 if(not flag):
  print ("No new cpubit found, hence "+host.name+" is NOT patched")
 else:
  print ("New CPU bit is found, hence "+host.name+" is patched")
	
atexit.register(Disconnect, si)

Let us take a look at below output.

Output

C:\Professional\vThinkBeyondVM\Spectre posts>python hosts_patched_ssbd.py -s 10.20.30.35 -u Administrator@vsphere.local -c “New Cluster”
Enter vCenter password:
————————————-
Found::cpuid.SSBD
New CPU bit is found, hence vCenter Server is patched
Current vCenter server build::VMware vCenter Server 6.7.0 build-8833179
Cluster Name:New Cluster
———————————-
Host: 10.20.30.51
No new cpubit found, hence 10.20.30.51 is NOT patched
———————————-
Host: 10.20.30.52
Found::cpuid.SSBD
New CPU bit is found, hence 10.20.30.51 is patched

Above output shows that vCenter server is patched and one of the two ESXi hosts is patched successfully.

Further learning resources
  1. per-VM EVC tutorial
  2.  Part-1: Managing Cluster level EVC using pyVmomi
  3. Part 2: Managing Cluster level EVC using pyVmomi
  4. Tutorial on getting started pyVmomi  on linux
  5. Tutorial on getting started pyVmomi on Windows

I hope you will find this post useful, please stay tuned for my next blog post on per-VM EVC wrt to these mitigation patches.

244 thoughts on “pyVmomi script to confirm Speculative Store Bypass Disable (SSBD) mitigation on vSphere patches

  1. Excellent post but I was wondering if you could write a litte more on this topic?

    I’d be very thankful if you could elaborate a little bit further.

    Kudos!

  2. Hello there! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My weblog looks
    weird when browsing from my iphone. I’m trying to find a theme or plugin that might be able to correct this problem.
    If you have any recommendations, please share. With thanks!

    Also visit my web-site :: sky777apk

  3. My partner and I absolutely love your blog and find the majority of your post’s to be exactly what I’m looking for.
    Do you offer guest writers to write content for you?
    I wouldn’t mind producing a post or elaborating on most of the subjects you write with regards to here.

    Again, awesome blog!

  4. I tend not to drop a leave a response, but I read a few of the
    comments here pyVmomi script to confirm Speculative Store Bypass Disable (SSBD) mitigation on vSphere patches |
    vThinkBeyondVM. I do have a couple of questions for
    you if you do not mind. Is it just me or do some of the
    comments come across as if they are written by brain dead individuals?
    😛 And, if you are posting on other online social sites, I would like to keep up with you.

    Could you list of all of your social community pages like
    your Facebook page, twitter feed, or linkedin profile?

    Feel free to surf to my web page https://www.ljhinfinityrealtors.com

  5. magnificent put up, very informative. I ponder why the opposite specialists
    of this sector don’t realize this. You should proceed your writing.
    I am sure, you have a great readers’ base already!

    My homepage … next360.com

  6. We stumbled over here by a different web page and thought
    I may as well check things out. I like what I see so now i’m
    following you. Look forward to going over your web page for a second time.

    my homepage … axomo.com

  7. I was just seeking this information for
    some time. After 6 hours of continuous Googleing, at last I got it in your web site.

    I wonder what’s the lack of Google strategy that don’t rank this type of informative web sites in top of the list.

    Normally the top sites are full of garbage.

    Look at my page; next360.com

  8. I truly appreciate this post. I have been looking everywhere for this!
    Thank goodness I found it on Bing. You’ve made my day!

    Thanks again!

    Also visit my web site … Gudrun

  9. Hello there, I found your site by the use of Google whilst
    looking for a similar topic, your website got here up, it
    seems good. I’ve bookmarked it in my google bookmarks.[X-N-E-W-L-I-N-S-P-I-N-X]Hi there, simply changed into alert to your weblog thru Google, and located that
    it’s really informative. I am going to be careful for brussels.
    I’ll be grateful in the event you continue this
    in future. Numerous folks will be benefited from your writing.
    Cheers!

    Feel free to visit my webpage – http://riyapola.com

  10. I absolutely love your site.. Excellent colors
    & theme. Did you develop this website yourself?
    Please reply back as I?m looking to create my very own website and would
    love to find out where you got this from or what the theme is named.
    Thanks!

    my blog – Elmo

  11. I just like the valuable information you supply for your articles.
    I’ll bookmark your blog and check again here regularly. I’m
    somewhat certain I’ll learn a lot of new stuff right right here!
    Best of luck for the following!

    Also visit my blog – vadatahub.org

  12. I loved as much as you will receive carried out right here.
    The sketch is attractive, your authored subject matter stylish.
    nonetheless, you command get got an edginess over that you wish
    be delivering the following. unwell unquestionably come more formerly again since exactly
    the same nearly very often inside case you shield this hike.

    my web page: kodeforest.net

  13. Excellent goods from you, man. I have understand your
    stuff previous to and you’re just extremely wonderful. I actually like what you have acquired here, really like what you’re saying and
    the way in which you say it. You make it enjoyable and you still take care of to keep it wise.
    I can’t wait to read far more from you. This is actually a wonderful site.

    my webpage – bostonsoftwaregroup.us

  14. hey there and thank you for your information ?
    I’ve certainly picked up anything new from right here.
    I did however expertise some technical issues using this web site, since
    I experienced to reload the web site a lot of times previous to I could get it to
    load correctly. I had been wondering if your hosting is OK?
    Not that I’m complaining, but sluggish loading instances times
    will often affect your placement in google and could damage your high
    quality score if ads and marketing with Adwords. Anyway I am adding this
    RSS to my e-mail and could look out for much more of your respective exciting content.
    Make sure you update this again very soon.

    Also visit my web-site … showhorsegallery.com

  15. May I simply say what a comfort to find someone that truly understands what they are
    discussing over the internet. You actually know
    how to bring an issue to light and make it important.

    A lot more people have to read this and understand this side
    of the story. I can’t believe you are not more popular since you certainly have the gift.

    Look into my page … http://www.payfirstsolutions.com

  16. Great post. I ѡas checking constɑntly this weblog and I am impresseɗ!
    Extremely useful info specifically the ultimate par 🙂 I deal with such informɑtion a lot.
    I ᴡas looking for thiks cеrtain info for a long time.
    Ƭhanks and good luck.

  17. What i don’t realize is if truth be told
    how you are no longer actually a lot more smartly-favored than you may be
    right now. You’re very intelligent. You already know thus
    significantly relating to this matter, produced
    me for my part imagine it from so many numerous angles.
    Its like women and men aren’t involved unless it is something to accomplish with Lady gaga!
    Your individual stuffs nice. Always take care of it up!

    Also visit my homepage: http://www.payfirstsolutions.com

  18. This is the right blog for everyone who would like to
    find out about this topic. You know a whole lot
    its almost hard to argue with you (not that I really would want to?HaHa).
    You definitely put a brand new spin on a topic which has been discussed for a long time.
    Great stuff, just excellent!

    Also visit my web site :: science-marketplace.org

  19. hey there and thank you for your info ? I have certainly picked up anything new from right here.
    I did however expertise several technical points using
    this website, since I experienced to reload the web site a lot of times
    previous to I could get it to load properly. I had been wondering if your web host is OK?
    Not that I am complaining, but slow loading instances times will often affect your
    placement in google and could damage your quality
    score if ads and marketing with Adwords. Well I am adding this RSS to my email and could look out for much
    more of your respective exciting content. Make sure you update this again soon..

    Also visit my webpage: http://www.hit-forum.info/index.php?action=profile;u=62185

  20. May I just say what a comfort to find someone that actually understands what they’re talking about on the net.

    You certainly understand how to bring an issue to light and make it important.
    A lot more people need to look at this and understand this side of
    your story. I was surprised that you are not more popular because
    you definitely have the gift.

    My blog post – sheriffptacentral.co.za

  21. I loved as much as you will receive carried out right here.
    The sketch is tasteful, your authored material stylish.
    nonetheless, you command get got an edginess over that you
    wish be delivering the following. unwell unquestionably
    come further formerly again since exactly the same nearly a lot often inside case
    you shield this increase.

    Here is my web site http://www.shltaxi.com

  22. Whats up very cool site!! Guy .. Excellent .. Amazing ..
    I will bookmark your website and take the feeds also…I am happy
    to search out a lot of helpful info right here within the submit, we want work out
    more techniques in this regard, thank you for sharing.

    Here is my website: ppo.energisehost.com

  23. hey there and thank you for your info ? I?ve definitely picked up anything new from right here.
    I did however expertise a few technical issues using this site, since I experienced to reload the
    site many times previous to I could get it to load correctly.
    I had been wondering if your web hosting is OK? Not that I’m
    complaining, but slow loading instances times will sometimes
    affect your placement in google and can damage your high-quality score
    if ads and marketing with Adwords. Well I?m adding this RSS to my e-mail and could
    look out for much more of your respective exciting content.
    Make sure you update this again very soon..

    my blog :: http://www.hit-forum.info

  24. I just wanted to post a quick remark so as to say thanks to you for those magnificent guides you are showing at this website.
    My particularly long internet search has at the end been paid with pleasant points to write about
    with my good friends. I would tell you that many of us visitors
    are unequivocally blessed to live in a perfect network
    with very many wonderful individuals with helpful strategies.
    I feel pretty lucky to have used your webpage and look forward to really more fabulous moments reading here.
    Thanks once more for a lot of things.

    Visit my website … http://forum.yawfle.com

  25. Hi I am so excited I found your webpage, I really
    found you by accident, while I was browsing on Yahoo for something else, Anyways I am here now and would just like to say
    thanks a lot for a fantastic post and a all round enjoyable blog
    (I also love the theme/design), I don’t have time to browse
    it all at the moment but I have book-marked it and also added in your RSS
    feeds, so when I have time I will be back to read a lot more, Please do
    keep up the excellent job.

    Also visit my page: http://www.quickregister.us

  26. For the reason that the admin of this site is working, no question very quickly it will be
    renowned, due to its quality contents.

    Here is my web site; Kala

  27. It’s a shame you don’t have a donate button! I’d without a doubt donate to
    this brilliant blog! I suppose for now i’ll
    settle for bookmarking and adding your RSS feed to my Google account.
    I look forward to brand new updates and will talk about this site with my Facebook group.
    Talk soon!

    Also visit my web-site; http://www.crossstate.org

  28. I’m no longer sure the place you’re getting your info, but good
    topic. I must spend some time studying more or figuring out more.
    Thanks for fantastic info I was in search of this info for my mission.

    Feel free to surf to my blog – next360.com

  29. It’s a shame you don’t have a donate button! I’d definitely donate to this fantastic blog!
    I guess for now i’ll settle for bookmarking and adding your RSS feed to my Google account.
    I look forward to fresh updates and will talk about
    this website with my Facebook group. Talk soon!

    Have a look at my web page – Dan

  30. hello there and thank you for your info ? I have definitely picked up anything new from right here.
    I did however expertise some technical issues using this web site, since I experienced to reload the web site lots of times previous to I could get it to load properly.
    I had been wondering if your hosting is OK? Not that I’m complaining, but sluggish loading instances times will very frequently affect
    your placement in google and could damage your quality score
    if ads and marketing with Adwords. Anyway
    I am adding this RSS to my email and can look out for a lot more of your respective intriguing content.
    Ensure that you update this again soon..

    Here is my blog post http://ppo.energisehost.com/index.php?action=profile;u=8423

  31. Greetings from Los angeles! I’m bored to death at work so I decided to browse your site on my iphone during lunch break.
    I really like the info you present here and can’t wait to take a look when I get home.
    I’m amazed at how quick your blog loaded on my mobile
    .. I’m not even using WIFI, just 3G .. Anyhow, very good
    site!

    My blog http://www.digitalnomadads.com

  32. I loved as much as you’ll receive carried out right
    here. The sketch is attractive, your authored subject matter stylish.
    nonetheless, you command get bought an edginess over that you wish be delivering the following.
    unwell unquestionably come more formerly again since exactly
    the same nearly very often inside case you shield this hike.

    my web site … biblioray.pusku.com

  33. Write more, thats all I have to say. Literally, it seems as though you relied
    on the video to make your point. You obviously know what youre talking about, why waste your intelligence on just posting videos to your
    blog when you could be giving us something informative to read?

    My web blog Melva

  34. Excellent goods from you, man. I’ve bear in mind your stuff
    prior to and you are simply too excellent. I actually like what you have
    received right here, certainly like what you are stating and the way in which through
    which you say it. You are making it entertaining and you still care for
    to stay it wise. I cant wait to learn far more from you.
    That is actually a great web site.

    Here is my webpage … jnuacsf.org

  35. This is a really good tip especially to those new to the blogosphere.
    Simple but very precise info? Thanks for sharing this one.
    A must read article!

    my site; Jack

  36. After looking over a few of the blog posts on your web page,
    I seriously appreciate your technique of writing
    a blog. I book marked it to my bookmark webpage list
    and will be checking back in the near future.
    Please visit my website too and let me know how you feel.

    Also visit my website; http://www.vsoftlift.us

  37. Hello there, just turned into alert to your weblog via Google,
    and found that it’s truly informative. I’m gonna watch out for brussels.
    I’ll be grateful in the event you continue this in future.
    Many people will likely be benefited out of
    your writing. Cheers!

    My web site – conorneill.com

  38. Good – I should certainly pronounce, impressed with your web site.
    I had no trouble navigating through all the tabs and related info ended up being truly easy to
    do to access. I recently found what I hoped for before you know it
    at all. Reasonably unusual. Is likely to appreciate it for those
    who add forums or anything, site theme .
    a tones way for your client to communicate. Nice task.

    Here is my homepage … triplifeskills.org

  39. I seldom leave a response, but I browsed some responses here pyVmomi script to
    confirm Speculative Store Bypass Disable (SSBD) mitigation on vSphere patches
    | vThinkBeyondVM. I actually do have 2 questions for you if
    it’s okay. Could it be just me or does it look like like some of the remarks look as if they are left by
    brain dead visitors? 😛 And, if you are posting at additional sites,
    I’d like to follow anything fresh you have to post.

    Would you post a list of all of all your public sites like your Facebook page, twitter feed,
    or linkedin profile?

    my web blog: http://www.articledude.com

  40. I’m really enjoying the theme/design of your blog. Do you
    ever run into any web browser compatibility issues?
    A couple of my blog audience have complained about my website not operating correctly in Explorer
    but looks great in Opera. Do you have any suggestions to help fix this issue?

    My blog – http://jl.lzysxy.com/

  41. Its like you learn my mind! You appear to understand a lot approximately this,
    like you wrote the book in it or something. I feel that you
    simply could do with some percent to drive the message house
    a bit, but instead of that, this is wonderful blog.

    A great read. I will definitely be back.

    Here is my web site … continent.anapa.org

  42. Thank you so much pertaining to giving my family an update on this issue on your website.
    Please understand that if a brand-new post appears or if perhaps any changes occur on the current publication, I
    would be considering reading more and finding out how to make good using of those methods you share.
    Thanks for your efforts and consideration of other folks by making this website available.

    Have a look at my blog post: https://kyinfishing.com/community/profile/labyprecious

  43. Wow! This can be one particular of the most helpful blogs We
    have ever arrive across on this subject. Basically Fantastic.
    I am also a specialist in this topic therefore I can understand your hard work.

    Also visit my blog post :: Jessica

  44. I?m amazed, I have to admit. Rarely do I encounter a blog that?s both equally educative and engaging, and let me tell you, you have hit the nail
    on the head. The issue is something that too few men and women are speaking intelligently
    about. Now i’m very happy I came across this in my search for something relating to this.

    Look at my homepage … Keira

  45. I think this is one of the so much significant information for me.

    And i’m happy studying your article. However should commentary on some normal issues, The web site style is perfect, the articles is really nice :D.
    Just right task, cheers.

    my web site – axomo.com

  46. Please let me know if you’re looking for a writer for
    your blog. You have some really good posts and
    I think I would be a good asset. If you ever want to take some
    of the load off, I’d really like to write some material for your
    blog in exchange for a link back to mine. Please blast me an email if interested.

    Thanks!

    My blog post – http://www.cowerdesign.com/

  47. you are in reality a excellent webmaster. The web site
    loading pace is incredible. It sort of feels that you’re doing any distinctive trick.

    Moreover, The contents are masterpiece. you have done a wonderful activity on this topic!

    Feel free to surf to my site; pansionat.com.ru

  48. hey there and thank you for your information – I have certainly
    picked up something new from right here. I did
    however expertise a few technical points using this site, as I experienced
    to reload the web site many times previous to I could
    get it to load properly. I had been wondering if your web host is OK?
    Not that I’m complaining, but sluggish loading instances times
    will very frequently affect your placement in google and
    could damage your quality score if ads and marketing with Adwords.

    Well I’m adding this RSS to my e-mail and could look out for
    a lot more of your respective interesting content.
    Make sure you update this again soon..

    Here is my web-site http://frun-test.sakura.ne.jp/

  49. I do trust all of the ideas you’ve presented on your post.

    They are really convincing and will definitely work. Still, the posts are too brief for newbies.
    May just you please lengthen them a bit from next
    time? Thanks for the post.

    my site: 19wujian.com

  50. Hi there this is kinda of off topic but I was wanting to know if blogs use WYSIWYG
    editors or if you have to manually code with HTML. I’m
    starting a blog soon but have no coding skills so I wanted to get guidance from someone with
    experience. Any help would be greatly appreciated!

    My webpage :: https://kebe.top/

Leave a Reply

Your email address will not be published. Required fields are marked *