VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown)
search cancel

VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown)

book

Article ID: 317617

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

VMware described its overall response to a specific set of recently discovered CPU security vulnerabilities in KB 52245: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown). Since then, customers have inquired if there may be a performance cost associated with either the VMware mitigations, or mitigations of the guest operating systems as released from the OS providers. This knowledge base article will be used as the centralized document to discuss such performance impacts.

Resolution

VMware has conducted performance testing to determine the costs of the Meltdown/Spectre mitigations for VMware products. We have tested a wide variety of workloads (with and without vSAN) on guest operating systems both with mitigation (“patched”) and without mitigation (“unpatched”) to provide a comprehensive view of relevant performance characteristics. All testing to date has been conducted on a representative range of recent Intel Xeon server processors. Note that the latest ESXi patches include relevant Intel and AMD CPU microcode for Spectre V2 mitigations. For understanding the performance impact to virtualization environments, we classify the mitigations into two performance categories. 
Our conclusions for each are as follows:

Virtualization Layer Mitigations: The latest ESXi patches** and the relevant Intel CPU microcode but without Guest Operating System mitigation patches. These mitigations have a minimal performance impact (< 2%) for most workloads on a representative range of recent Intel Xeon server processors.

Full Stack Mitigations: All levels of mitigation. This includes all virtualization layer mitigations above with the addition of Guest Operating System mitigation patches. As reported in the press, the impact of these mitigations will vary depending on your application. Applications with very heavy system call usage, including those with very high IO rates, will show a more significant impact than their counterparts with lower system call usage. For information regarding the performance impact of Operating System Mitigations on your application, please consult with your Operating system and/or Application vendor. Consistent with our findings above, the virtualization layer mitigations that are part of these full stack mitigations have minimal influence to the overall impact. As a general best practice, we recommend you test the appropriate patches with your applications prior to deploying in production environments.

Please sign up to be alerted when this KB is updated with new information.

Footnote:
** = This includes Hypervisor-Specific vSphere mitigations, Intel CPU microcode updates for Spectre V2, and also the implementation of Hypervisor-Assisted Guest Mitigation even though no Guest Operating System has been patched to use them.