VMware Cloud Community
fletch00
Enthusiast
Enthusiast

Patch for ESXi SSL Heartbleed vulnerability?

Discovered today our Esxi 5.5 build 1331820 SSL is vulnerable to the openSSL bug reported today http://heartbleed.com

Can we expect a patch from VMware for this soon ?

thanks,

http://vmadmin.info

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
31 Replies
fletch00
Enthusiast
Enthusiast

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Applied - no reboot required

Confirmed the vulnerability is removed by this patch - folks should also cycle keys and update passwords

thanks and Happy Easter

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
Reply
0 Kudos
Wabun
Enthusiast
Enthusiast

Reboot IS required to make sure you use the new openSSL version, after reboot create new SSL cert and change passwords!

Reply
0 Kudos
fletch00
Enthusiast
Enthusiast

Reboot is the cleanest if you can afford it.

But using the python script command line tool I observed the vulnerability was removed post patch.

After updating keys

cd /etc/vmware/ssl
/sbin/generate-certificates
chmod +t rui.crt
chmod +t rui.key
passwd root


Shouldn't a service restart be sufficient?


/etc/init.d/hostd restart
/etc/init.d/vpxa restart


To avoid the prolonged reboot procedure?


VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
Reply
0 Kudos
Saju_C
Enthusiast
Enthusiast

>>

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Applied - no reboot required

>>

The reboot is required. Both KB's 2076586 and KB 2076120 mention that a reboot is required after patching ESX. Could you please point to any documentation or observation which says that no reboot required?

Reply
0 Kudos
fletch00
Enthusiast
Enthusiast

Obviously just reboot, if you can afford it.

I observed via the heartbleed python script it was cleared (I'm referring to to the https API)

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
Reply
0 Kudos
King_Robert
Hot Shot
Hot Shot

Openssl is an opensource software which  is widely used for implementing the transport layer security like SSL and TSL. Openssl provides a  cryptographic functions and lot of other functions. Almost two years ago ,there is new function injected to openssl version  1.0.1 which is called heartbeat. What the heartbeat  protocol does on openssl ? Heartbeat keep the secure connection alive for a bit.It keeps the session alive so it doesn’t get the connection taken down. Typically the SSL connections will be terminated immediately if there is no activity .

To Solve the issue of Heartbeat in OpenSSL in ESX please refer the URL given below

Heartbleed vulnerability on VMware ESXI 5.5 and Vcenter 5.5 | UnixArena

Reply
0 Kudos
syncity
Contributor
Contributor

Has anyone experienced this when trying to generate new SSL certs per the knowledge base article?

/sbin/generate-certificates

WARNING: can't open config file: /usr/ssl/openssl.cnf

Reply
0 Kudos
SleepyUK
Contributor
Contributor

Yes, same here looking into it & your post was the first I found relating to ESXi - did you find a workaround?

Reply
0 Kudos
gvessey
Contributor
Contributor

Hey

Not sure if this helps but I created a ssl folder under /usr and then I used vi to create a blank openssl.cnf file saved it in /usr/ssl/ and reran generate-certificates and it allowed me to create new certificates.  Make sure you restart the host afterwards.

Reply
0 Kudos
King_Robert
Hot Shot
Hot Shot

in the below given article complete detail of configuration steps are mentioned to resolve ESX heartbleed vulnerability

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Reply
0 Kudos
vThinkBeyondVM
VMware Employee
VMware Employee

http://www.vmware.com/security/advisories/VMSA-2014-0004.html


This may help you


----------------------------------------------------------------
Thanks & Regards
Vikas, VCP70, MCTS on AD, SCJP6.0, VCF, vSphere with Tanzu specialist.
https://vThinkBeyondVM.com/about
-----------------------------------------------------------------
Disclaimer: Any views or opinions expressed here are strictly my own. I am solely responsible for all content published here. Content published here is not read, reviewed or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware.

Reply
0 Kudos
vNEX
Expert
Expert

New valuable content for this issue was published:

Posted on April 25, 2014 by Rick Blythe:
Patching ESXi 5.5 for Heartbleed without installing Update 1 | VMware Support Insider - VMware Blogs

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
Reply
0 Kudos