Discovered today our Esxi 5.5 build 1331820 SSL is vulnerable to the openSSL bug reported today http://heartbleed.com
Can we expect a patch from VMware for this soon ?
thanks,
Good find, mate.
I found this as well for additional read.http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-t...
What I am unsure is why are these folks publicly disclosing such a big vulnerability?
I am sure the VMware developers are aware of it. But below is the link where it can be reported,
Security Response Policy: VMware | United States
Thanks,
The vSphere 5.5 SSO could be affected as well, it uses OpenSSL 1.0.1e and this is one of the affected version. I couldn't find any reference of the vulnerability CVE-2014-0160 in the VMware website. Hope VMware is aware and a fix is on the way.
Would be nice to see something official by VMware. So many OS-distributions already released a patch, so it shouldn't be that hard for VMware.
Some more information about effected components found so far
The vSphere 5.5 SSO could be affected as well, it uses OpenSSL 1.0.1e and this is one of the affected version. I couldn't find any reference of the vulnerability CVE-2014-0160 in the VMware website.
I tested a few of the available heartbleed scripts against Windows-based vCenter 5.5 and 5.1 on all ports the system is listening on (including Web Client 9443, Inventory 10443, SSO 7444 etc) but they were never reported being vulnerable. I suppose this is because the actual SSL traffic is handled in the Java application's own SSL stack instead of depending on openssl, which might only be used for certain operations such as certificate generation.
Many vendors already published information about their affected products, I hope VMware will release an official advisory soon too.
For the latest on this issue, including lists of our products known to be affected, please see VMware KB: Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed".
I've collected external web and internal cmd line tool links to check if your SSL is vulnerable.
http://www.vmadmin.info/2014/04/esxi-55-vulnerable-to-openssl.html
Been hitting refresh on the KB link...
Still no ETA on the ESXi patch?
Thanks MKguy, I was thinking on a similar note, most likely SSO uses the keytool and this may not be affected. Will wait for official confirmation from VMware.
Our ESXi 5.5 Servers are flagged via NESSUS. How do you run the cmd line tool? thanks
Is this affecting vCenter 5.5 appliance also ? this appliance is Linux base and no windows at all .
The VC Appliance is not listed among the affected products. It's built on SLES 11 SP2, which uses an earlier version of the openssl library unaffected by the bug, as stated in the official Suse advisory http://support.novell.com/security/cve/CVE-2014-0160.html
Is there anyway to downgrade openssl to the older version?
Do we know if the future openssl patch is gong to require a reboot?
Thanks,
Brian
The only supported way of "downgrading" at the moment would be a painful migration from ESXi/vCenter 5.5 to 5.1.
The files are part of the esx-base VIB bundle, so it's safe to assume that you will need a host reboot after applying the patch.
MKguy wrote:
The only supported way of "downgrading" at the moment would be a painful migration from ESXi/vCenter 5.5 to 5.1.
The files are part of the esx-base VIB bundle, so it's safe to assume that you will need a host reboot after applying the patch.
This will be the first step. After you've patched your hosts, recreate the SSL certificates, then update the password(s) on the host.
It's not pretty but until you've done all three - there's no guarentee the host is secure from this vulnerability.
Looks like there is now a patch according to the KB
Testing it now
Ah - I jumped the gun - its still baking - ETA April 19 according to reports (happy Easter weekend)
Not sure why the ESXi patch will require a reboot - for Apache its just a restart.
Is this related to how vmware patches are packaged (SSL is bundled with the kernel ?)
Can we get patching ESXi yet?
Here is the patch:
VMware KB: VMware ESXi 5.5, Patch ESXi-5.5.0-20140404001-no-tools
This patch resolves the following issues: