Discovered today our Esxi 5.5 build 1331820 SSL is vulnerable to the openSSL bug reported today http://heartbleed.com
Can we expect a patch from VMware for this soon ?
thanks,
VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160
Applied - no reboot required
Confirmed the vulnerability is removed by this patch - folks should also cycle keys and update passwords
thanks and Happy Easter
Reboot IS required to make sure you use the new openSSL version, after reboot create new SSL cert and change passwords!
Reboot is the cleanest if you can afford it.
But using the python script command line tool I observed the vulnerability was removed post patch.
After updating keys
cd /etc/vmware/ssl
/sbin/generate-certificates
chmod +t rui.crt
chmod +t rui.key
passwd root
Shouldn't a service restart be sufficient?
/etc/init.d/hostd restart
/etc/init.d/vpxa restart
To avoid the prolonged reboot procedure?
>>
VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160
Applied - no reboot required
>>
The reboot is required. Both KB's 2076586 and KB 2076120 mention that a reboot is required after patching ESX. Could you please point to any documentation or observation which says that no reboot required?
Obviously just reboot, if you can afford it.
I observed via the heartbleed python script it was cleared (I'm referring to to the https API)
Openssl is an opensource software which is widely used for implementing the transport layer security like SSL and TSL. Openssl provides a cryptographic functions and lot of other functions. Almost two years ago ,there is new function injected to openssl version 1.0.1 which is called heartbeat. What the heartbeat protocol does on openssl ? Heartbeat keep the secure connection alive for a bit.It keeps the session alive so it doesn’t get the connection taken down. Typically the SSL connections will be terminated immediately if there is no activity .
To Solve the issue of Heartbeat in OpenSSL in ESX please refer the URL given below
Heartbleed vulnerability on VMware ESXI 5.5 and Vcenter 5.5 | UnixArena
Has anyone experienced this when trying to generate new SSL certs per the knowledge base article?
/sbin/generate-certificates
WARNING: can't open config file: /usr/ssl/openssl.cnf
Yes, same here looking into it & your post was the first I found relating to ESXi - did you find a workaround?
Hey
Not sure if this helps but I created a ssl folder under /usr and then I used vi to create a blank openssl.cnf file saved it in /usr/ssl/ and reran generate-certificates and it allowed me to create new certificates. Make sure you restart the host afterwards.
in the below given article complete detail of configuration steps are mentioned to resolve ESX heartbleed vulnerability
VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160
http://www.vmware.com/security/advisories/VMSA-2014-0004.html
This may help you
New valuable content for this issue was published:
Posted on April 25, 2014 by Rick Blythe:
Patching ESXi 5.5 for Heartbleed without installing Update 1 | VMware Support Insider - VMware Blogs