VMware described its overall response to a specific set of recently discovered CPU security vulnerabilities in KB54951: VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640. This knowledge base article will be used as the centralized document to discuss the performance impacts of these vulnerabilities.
For more information about L1TF Error, see L1TF (L1 Terminal Fault) Error

VMware has conducted performance testing to determine the costs of mitigations for these two vulnerabilities on vSphere. We have tested a variety of workloads on Windows and Linux guest operating systems on recent Intel Xeon server processors. To aid in understanding the performance impact to virtualization environments, we classify the mitigations into two performance categories. Our conclusions for each are as follows:

Virtualization Layer Mitigations: The upcoming ESXi patches and the relevant Intel CPU microcode but without Guest Operating System mitigation patches. The mitigations for these two vulnerabilities have minimal additional performance impact for most workloads on recent Intel Xeon server processors.

Full Stack Mitigations: All levels of mitigation. This includes all virtualization layer mitigations above, with the addition of Guest Operating System mitigation patches when they become available. The impact of these mitigations will vary depending on your application. For information regarding the performance impact of Operating System Mitigations on your application, consult with your Operating system and/or Application vendor. Consistent with our findings above, the virtualization layer mitigations for these two vulnerabilities that are part of these full stack mitigations will have minimal additional impact on performance above the impact of the patched Guest Operating System. As a general best practice, we recommend you test the appropriate patches with your applications prior to deploying in production environments.

Update History

05/21/18: Initial publication.