VMware Cloud Community
Sketchy
Contributor
Contributor
‎04-07-2009 01:20 PM

OpenSSL versions on ESXi

This is probably an easy question for some of you, and for that I apologize. I'm looking into a security issue (CVE-2009-0590) for OpenSSL on ESXi and I can't find hide-nor-hair of anything related to ESXi. I can't confirm or deny. At this point, I don't even know how to check the OpenSSL version (as the commands have changed in ESXi).

So, can someone tell me how to check the OpenSSL version in ESXi?

Thanks.

Tags (2)
0 Kudos
2 Replies
Texiwill
Leadership
Leadership
‎04-08-2009 05:59 AM

Hello,

To remove any confusion, this CVS is specific to OpenSSL and NOT ESXi. The way the question was written made it sound like an ESXi CVE....

There is no real way to check the SSL version on ESXi as the Posix environment in BusyBox does not have this capability.

However, checking 'versions' is not the best way to see if OpenSSL has been patched. Many versions of OpenSSL actually have the 'patch' for this backported. RedHat is notorious for doing this. I will however get someone to look at this.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
kirklarsen
VMware Employee
VMware Employee
‎04-08-2009 02:48 PM

Hi,

For CVE-2009-0590

From: https://bugzilla.redhat.com/show_bug.cgi?id=492304#c9

"

From Tomas Hoger

This issue may only affect applications using ASN1_STRING_print_ex() (or

ASN1_STRING_print_ex_fp(), or ASN1_item_print() calling ASN1_STRING_print_ex())

OpenSSL function to print untrusted inputs (such as values from not verified

X509 client certificates).

No application shipped in Red Hat Enterprise Linux uses affected function.

"

No products that VMware ships use the affected function. We will create a Knowledge base article for this CVE. Thanks to the Red Hat team for triaging this issue!

Best regards,

--Ksl

Kirk Larsen

Product Security Officer

VMware Inc.

0 Kudos