I see a lot of news according to the OpenSSL vulnerability a.k.a Heartbleed.
For some information :
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/
security - Heartbleed: What is it and what are options to mitigate it? - Server Fault
https://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
I did some searching but can't seem to find any relation with VMware/ESXi
My question is does this also impact the vSphere environment in some way ?
I hope VMware will soon release a Security Advisory clearing things up and providing updates for this horrible issue (which isn't their fault though).
The heartbleed openssl bug seems to affect ESXi as well. Recent Linux-based virtual appliances like the VCSA, vMA etc might be vulnerable too:
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug
Let's have a look at an ESXi 5.5 GA (no U1) host:
# vmware -vl
VMware ESXi 5.5.0 build-1331820
VMware ESXi 5.5.0 GA
# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Feb 26 16:34:26 PST 2013
Now here's an up-to-date ESXi 5.1 U2 host:
# vmware -vl
VMware ESXi 5.1.0 build-1612806
VMware ESXi 5.1.0 Update 2
~ # openssl version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Wed Mar 20 20:44:08 PDT 2013
As you can see, ESXi 5.5 runs the vulnerable openssl 1.0.1 branch. ESXi 5.1 U2 on the other hand is using the openssl 0.9.8 branch. Hence versions prior to ESXi 5.5 should be unaffected.
I have an older vMA 5.1 virtual appliance which is unaffected as well:
# cat /etc/vma-release
vMA 5.1.0 BUILD-1062361
# cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2
# openssl version -a
OpenSSL 1.0.0c 2 Dec 2010
At least the Windows-based vCenter Inventory Service seems to depend on the openssl libary as well:
A 5.1 U2 vCenter seems safe though:
"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Tue Feb 12 23:38:08 2013
There are two openssl binaries on a test vCenter 5.5 GA of mine, with one of them having a vulnerable version:
"C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Feb 12 19:37:08 2013
"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Tue Feb 12 23:38:08 2013
I hope VMware will soon release a Security Advisory clearing things up and providing updates for this horrible issue (which isn't their fault though).
The heartbleed openssl bug seems to affect ESXi as well. Recent Linux-based virtual appliances like the VCSA, vMA etc might be vulnerable too:
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug
Let's have a look at an ESXi 5.5 GA (no U1) host:
# vmware -vl
VMware ESXi 5.5.0 build-1331820
VMware ESXi 5.5.0 GA
# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Feb 26 16:34:26 PST 2013
Now here's an up-to-date ESXi 5.1 U2 host:
# vmware -vl
VMware ESXi 5.1.0 build-1612806
VMware ESXi 5.1.0 Update 2
~ # openssl version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Wed Mar 20 20:44:08 PDT 2013
As you can see, ESXi 5.5 runs the vulnerable openssl 1.0.1 branch. ESXi 5.1 U2 on the other hand is using the openssl 0.9.8 branch. Hence versions prior to ESXi 5.5 should be unaffected.
I have an older vMA 5.1 virtual appliance which is unaffected as well:
# cat /etc/vma-release
vMA 5.1.0 BUILD-1062361
# cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2
# openssl version -a
OpenSSL 1.0.0c 2 Dec 2010
At least the Windows-based vCenter Inventory Service seems to depend on the openssl libary as well:
A 5.1 U2 vCenter seems safe though:
"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Tue Feb 12 23:38:08 2013
There are two openssl binaries on a test vCenter 5.5 GA of mine, with one of them having a vulnerable version:
"C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Feb 12 19:37:08 2013
"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Tue Feb 12 23:38:08 2013
This is easy to test for. You must test from a host running OpenSSL 1.0.1 though or it will not work:
openssl s_client -connect ESXHOST:443 -tlsextdebug
If you see:
TLS server extension "heartbeat" (id=15), len=1
in the output, then it's running OpenSSL 1.0.1, and based on the fact that the fix only came out yesterday, then it is therefore vulnerable. I just tested a 5.5 build 1331820 host and it did respond with the heartbeat extension, so 5.5 is vulnerable.
There are already a few sites up that test for the heartbeat extension and also try to actively exploit it if it's enabled:
https://www.ssllabs.com/ssltest/
I can confirm that they successfully detect a vulnerable Linux host.
If anyone happens to have or temporarily arrange for internet-facing hosts/vCenters/other vSphere products, they should give it a try.
Edit:
https://github.com/justfalter/heartbleed/blob/master/jared_stafford/heartbleed.py
Tested the above script against a 5.5 host and it reports vulnerable as expected, while <5.5 does not.
So to wrap it up we have the versions below checked (marked in red are vulnerable)
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Product | Build | OpenSSL Version |
ESXi 5.1 U2 | VMware ESXi 5.1.0 build-1612806 | OpenSSL 0.9.8y 5 Feb 2013 |
ESXi 5.5 GA (no U1) | VMware ESXi 5.5.0 build-1331820 | OpenSSL 1.0.1e 11 Feb 2013 |
vCenter 5.1 U1 | VMware vCenter Server 5.1.0 Build 1235232 | OpenSSL 0.9.8t 18 Jan 2012 |
vCenter 5.1 U2 | <unknown> | OpenSSL 0.9.8y 5 Feb 2013 |
vCenter 5.5 GA | <unknown> | OpenSSL 1.0.1e 11 Feb 2013 |
OpenSSL 0.9.8y 5 Feb 2013 | ||
vMA 5.0 virtual appliance | vMA 5.0.0 BUILD-724898 | OpenSSL 0.9.8j-fips 07 Jan 2009 |
vMA 5.1 virtual appliance | vMA 5.1.0 BUILD-1062361 | OpenSSL 1.0.0c 2 Dec 2010 |
I also noticed a similar post Patch for ESXi SSL Heartbleed vulnerability?
I'm running vcenter 5.5.0.10000 build 1624811 appliance and it shows its running openssl version 0.9.8j
We ran a scan on our entire network and found all of our vmware hosts (5.5.0 1623387) are affected but vcenter appliance is not affected.
I've opened a ticket with vmware to find out when they plan to release a patch, so far haven't gotten very far. They haven't even acknowledged that esxi is affected.
For the latest on this issue, including lists of our products known to be affected, please see VMware KB: Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed".
This sucks, I am not looking forward to having to patch our vCenter 5.5 installation. Hopefully VMware gets it right the first time as they have less than a stellar record with vCenter upgrades/patches. Definitely not going to be the first to guinea pig the solution. Like everyone else.....we are standing by...
I patched my Dev environment. 5.5 U1 to 5.5 U1a and all of my host still show the "TLS server extension "heartbeat" (id=15), len=1" value which would suggest it is still vulnerable (yes the hosts were rebooted). Also the OpenSSL on vCenter is still showing 1.0.1e
"C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Feb 12 19:37:08 2013
platform: VC-WIN64A
vCenter is showing build 1750787 and ESXi hosts are showing build 1746018
So I am not sure what the deal is here. Did they even fix anything?
Is anyone else seeing this after the patch?
I just wanted to let you know that we opened up a case with vmware in regards to the update for vCenter 175078, still showing the OpenSSL to be at 1.0.1e and they have confirmed that this is expected but as long as you have the update installed you are protected. Below is the exact response we received:
"I have been doing my research and also clarified about this with my senior engineers.
Ultimately got to know that upgrading vCenter to 5.5.0 c fixes the Heart Bleed attack issue without upgrading the Open SSL version to 1.0.1g.
So, as per the update which i received, we are safe now and the version 1.0.1e which is showing is expected with the update but unfortunately it is not clearly documented yet in any articles of VMware."
sgarry
Yeah I tweeted @VMwareKB and they updated the KB VMware KB: Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5 .
They added this note.
Note: These releases upgrade the OpenSSL libraries. The openssl.exe
file remains unchanged and will display the same version number as it did previously.
Cheers
New valuable content for this issue was published:
Posted on April 25, 2014 by Rick Blythe
Patching ESXi 5.5 for Heartbleed without installing Update 1 | VMware Support Insider - VMware Blogs