VMware described its overall response to a specific set of recently discovered CPU security vulnerabilities in VMSA-2019-0020. These mitigations may have an impact on performance to some applications. This knowledge base article will be used as the centralized document to discuss performance impacts of security issues described by CVE-2018-12207 in modern day processors as they apply to VMware.

VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.0
VMware vSphere ESXi 7.0.x

VMware has conducted performance testing to determine the performance costs associated with applying hypervisor specific mitigations on vSphere to address issues described in CVE-2018-12207. We have tested a variety of workloads on Windows and Linux guest operating systems on recent Intel Xeon server processors. Our conclusions are as follows:

Enterprise class workloads: Our testing consistently showed a performance impact of 5% or less for enterprise class workloads which include, but are not limited to, Databases, mixed workload server consolidation scenarios, and virtual desktop infrastructure (VDI). As a general best practice, we recommend you test the mitigation with your applications prior to deploying in production environments.

Nested virtualization and Microsoft Virtualization-Based Security (VBS): Our testing showed a significant performance impact when applied to nested virtualized environments on ESXi. Because Windows VBS uses virtualization, enabling it on ESXi results in nested virtualization. We strongly recommend you test carefully in an isolated environment before deciding to deploy this ESXi mitigation more broadly to nested or VBS enabled environments. Refer to KB2009916 for support information related to nested ESXi environments.