We have a number of websites running behind NSX using the built in load balancing, when testing our sites against SSL Labs (SSL Server Test (Powered by Qualys SSL Labs) we get an F rating due to Padding Oracle vulnerability - CVE-2016-2107
We were on NSX 6.2.2 originally, and have recently updated to NSX 6.2.4 which disabled TLS 1.0 by default but the vulnerability still exists.
Info from OpenSSL: https://www.openssl.org/news/secadv/20160503.txt
Additional info on the vulnerability from a blog post: Yet Another Padding Oracle in OpenSSL CBC Ciphersuites
I would have thought that the latest NSX 6.2.4 patch would have resolved this as this has been a known vulnerability marked as critical since May. I've been researching this issue for a while and haven't found much info and I'm a bit surprised as I thought more people would be using these features.
It's my understanding that NSX uses HAProxy in the background for load balancing, is there anyway to dig further into NSX and update HAProxy and/or the OpenSSL libraries? Since the vulnerability is in the OpenSSL libraries my assumption is that either needs to be updated by VMware within a NSX patch or perhaps it can be updated separately.
Has anyone else run into this vulnerability? Has anyone found any way to mitigate or resolve?
I have the same problem but for vCenter 6 U2. I'd be glad to hear when will VMware solve this.
I am having the same exact issue as @Luis_Franco. Please let me know if there is a solution.
Thanks,
There are fixes for NSX (Edge Services Gateway - Load Balancer) and vSphere in the works.
Is there an ETA on when a fix will come out?
NSX - Jan 2017 time frame, for vSphere it is looking like a patch release TBD. If your concern is vSphere please open a SR on it. The information I am getting is
6.0u3 due out late February.
Did the fix make it into vSphere 6.5?