Heartbleed Vulnerability and VMware

If you haven’t heard of the Heart Bleed Vulnerability in OpenSSL please read the following link:
http://heartbleed.com/

It will allow for data to be stolen undetected including keys, passwords, and more.

The VMware communities already has a few threads on it, but here is VMware’s official KB posting on it:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225

Here is the info as of 4/9/2014, 1 PM

Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: “Heartbleed” (2076225)

Resolution

The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the OpenSSL issue dubbed “Heartbleed” (CVE-2014-0160, CVE-2014-0346).This article reflects the status of the ongoing investigation.

These VMware products that ship with OpenSSL 1.0.1 have been confirmed to be affected:

  • ESXi 5.5
  • VMware Fusion 6.0.x
  • VMware vCloud Automation Center (vCAC) 5.1.x
  • VMware vCloud Automation Center (vCAC) 5.2.x
  • VMware Horizon Mirage 4.4.0

Note: Confirmation is pending for VMware vCenter Server 5.5.

These VMware products that ship with OpenSSL 0.9.8 have been confirmed to be unaffected:

  • ESXi/ESX 4.x
  • ESXi 5.0
  • ESXi 5.1
  • VMware Fusion 5.x
  • VMware vCenter Server 4.x
  • VMware vCenter Server 5.0
  • VMware vCenter Server 5.1
  • VMware vCenter Server Appliance (vCSA) 5.x
  • VMware vCloud Automation Center (vCAC) 6.x
  • VMware Horizon Mirage 4.3.x and earlier
  • VMware Update Manager (VUM)
  • VMware vCenter Orchestrator (vCO)
  • VMware vCloud Director (vCD)
  • VMware vCenter Operations Manager (vCOps)
  • VMware vCenter Site Recovery Manager (SRM)
  • VMware vCenter Configuration Manager (vCM)
  • VMware vSphere Storage Appliance (VSA)
  • VMware Workstation
  • VMware Player

Resolution/mitigation:

The issue can be mitigated by deploying VMware products on an isolated management network.

VMware is working on updating its products to remediate the issue.

Advertisements

One Response to Heartbleed Vulnerability and VMware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: