2 Replies Latest reply on Sep 8, 2014 10:00 PM by sinharme

    openssl vulnerabilities

    sinharme Novice



      Vami-lighttpd used openssl libs version 0.9.8 which has heartbleed vulnerabilities. These files(/opt/vmware/lib/libssl.so.0.9.8, /opt/vmware/lib/libssl.so.0.9.8r) belong to +vmware-studio-vami-tools +rpm. Need to have the updated rpm package with these vulnerabilities fixed. Following are the vulnerabilities reported:

           CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0076

        • 1. Re: openssl vulnerabilities
          MKguy Virtuoso

          The version 0.9.8x branch of openssl is not vulnerable against the heartbleed exploit, since the vulnerable TLS heartbeat function was only introduced in openssl 1.0.1.

           

          Quoted from http://heartbleed.com/:

          What versions of the OpenSSL are affected?

           

          Status of different versions:

           

              OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

              OpenSSL 1.0.1g is NOT vulnerable

              OpenSSL 1.0.0 branch is NOT vulnerable

              OpenSSL 0.9.8 branch is NOT vulnerable

           

          Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

           

          You're referring to other openssl vulnerabilities here with these CVE's, like the TLS change cipher spec bug.

          • 2. Re: openssl vulnerabilities
            sinharme Novice

            Hi ,

             

            We did the QualysGuard vulnerability check for the VA created using latest vmware studio version 2.6. PFA the report snapshot:

            ssl.png