VMware Cloud Community
fletch00
Enthusiast
Enthusiast

Patch for ESXi SSL Heartbleed vulnerability?

Discovered today our Esxi 5.5 build 1331820 SSL is vulnerable to the openSSL bug reported today http://heartbleed.com

Can we expect a patch from VMware for this soon ?

thanks,

http://vmadmin.info

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
31 Replies
encrypturlyf
Enthusiast
Enthusiast

Good find, mate.

I found this as well for additional read.http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-t...

What I am unsure is why are these folks publicly disclosing such a big vulnerability?

Reply
0 Kudos
virtualdive
VMware Employee
VMware Employee

I am sure the VMware developers are aware of it. But below is the link where it can be reported,

Security Response Policy: VMware | United States

Thanks,

Regards,

'V'
thevshish.blogspot.in
vExpert-2014-2021
Reply
0 Kudos
suj27
Enthusiast
Enthusiast

The vSphere 5.5 SSO could be affected as well, it uses OpenSSL 1.0.1e and this is one of the affected version. I couldn't find any reference of the vulnerability CVE-2014-0160 in the VMware website. Hope VMware is aware and a fix is on the way.

Sujeev Kumar
Reply
0 Kudos
BBQfire
Contributor
Contributor

Would be nice to see something official by VMware. So many OS-distributions already released a patch, so it shouldn't be that hard for VMware.

Reply
0 Kudos
Wh33ly
Hot Shot
Hot Shot

Some more information about effected components found so far

https://communities.vmware.com/message/2366769#2366769

Reply
0 Kudos
MKguy
Virtuoso
Virtuoso

The vSphere 5.5 SSO could be affected as well, it uses OpenSSL 1.0.1e and this is one of the affected version. I couldn't find any reference of the vulnerability CVE-2014-0160 in the VMware website.

I tested a few of the available heartbleed scripts against Windows-based vCenter 5.5 and 5.1 on all ports the system is listening on (including Web Client 9443, Inventory 10443, SSO 7444 etc) but they were never reported being vulnerable. I suppose this is because the actual SSL traffic is handled in the Java application's own SSL stack instead of depending on openssl, which might only be used for certain operations such as certificate generation.

Many vendors already published information about their affected products, I hope VMware will release an official advisory soon too.

-- http://alpacapowered.wordpress.com
dariusd
VMware Employee
VMware Employee

For the latest on this issue, including lists of our products known to be affected, please see VMware KB: Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed".

fletch00
Enthusiast
Enthusiast

I've collected external web and internal cmd line tool links to check if your SSL is vulnerable.

http://www.vmadmin.info/2014/04/esxi-55-vulnerable-to-openssl.html

Been hitting refresh on the KB link...

Still no ETA on the ESXi patch?

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
Reply
0 Kudos
suj27
Enthusiast
Enthusiast

Thanks MKguy, I was thinking on a similar note, most likely SSO uses the keytool and this may not be affected. Will wait for official confirmation from VMware.

Sujeev Kumar
Reply
0 Kudos
stanj
Enthusiast
Enthusiast

Our ESXi 5.5 Servers are flagged via NESSUS. How do you run the cmd line tool? thanks

Reply
0 Kudos
Marwan_Mahdi
Contributor
Contributor

Is this affecting vCenter 5.5 appliance also ? this appliance is Linux base and no windows at all .

Reply
0 Kudos
gbanchelli
Contributor
Contributor

The VC Appliance is not listed among the affected products. It's built on SLES 11 SP2, which uses an earlier version of the openssl library unaffected by the bug, as stated in the official Suse advisory http://support.novell.com/security/cve/CVE-2014-0160.html

Reply
0 Kudos
sutcliff
Contributor
Contributor

Is there anyway to downgrade openssl to the older version?

Do we know if the future openssl patch is gong to require a reboot?

Thanks,

Brian

Reply
0 Kudos
MKguy
Virtuoso
Virtuoso

The only supported way of "downgrading" at the moment would be a painful migration from ESXi/vCenter 5.5 to 5.1.

The files are part of the esx-base VIB bundle, so it's safe to assume that you will need a host reboot after applying the patch.

-- http://alpacapowered.wordpress.com
Reply
0 Kudos
JayArr
Contributor
Contributor

MKguy wrote:

The only supported way of "downgrading" at the moment would be a painful migration from ESXi/vCenter 5.5 to 5.1.

The files are part of the esx-base VIB bundle, so it's safe to assume that you will need a host reboot after applying the patch.

This will be the first step. After you've patched your hosts, recreate the SSL certificates, then update the password(s) on the host.

It's not pretty but until you've done all three - there's no guarentee the host is secure from this vulnerability.

Reply
0 Kudos
fletch00
Enthusiast
Enthusiast

Looks like there is now a patch according to the KB

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=207622...

Testing it now

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
Reply
0 Kudos
fletch00
Enthusiast
Enthusiast

Ah - I jumped the gun - its still baking - ETA April 19 according to reports (happy Easter weekend)

Not sure why the ESXi patch will require a reboot - for Apache its just a restart.

Is this related to how vmware patches are packaged (SSL is bundled with the kernel ?)

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
Reply
0 Kudos
fletch00
Enthusiast
Enthusiast

Can we get patching ESXi yet?

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
Reply
0 Kudos
vNEX
Expert
Expert

Here is the patch:

VMware KB: VMware ESXi 5.5, Patch ESXi-5.5.0-20140404001-no-tools

Summaries and Symptoms

This patch resolves the following issues:

  • PR1227131: The OpenSSL version is updated to 1.0.1g to address the Heartbleed vulnerability.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-0160 to this issue. For further details on remediation steps for ESXi 5.5, see KB 2076665.

    Note: To completely  resolve this issue, you also need to replace certificates and change passwords. For more information, seeResolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160 (2076665).
_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
Reply
0 Kudos