SnowRanger
Contributor
Contributor

NSX - Padding Oracle vulnerability - CVE-2016-2107

We have a number of websites running behind NSX using the built in load balancing, when testing our sites against SSL Labs (SSL Server Test (Powered by Qualys SSL Labs) we get an F rating due to Padding Oracle vulnerability - CVE-2016-2107

We were on NSX 6.2.2 originally, and have recently updated to NSX 6.2.4 which disabled TLS 1.0 by default but the vulnerability still exists.

Info from OpenSSL: https://www.openssl.org/news/secadv/20160503.txt

Additional info on the vulnerability from a blog post: Yet Another Padding Oracle in OpenSSL CBC Ciphersuites

I would have thought that the latest NSX 6.2.4 patch would have resolved this as this has been a known vulnerability marked as critical since May. I've been researching this issue for a while and haven't found much info and I'm a bit surprised as I thought more people would be using these features.


It's my understanding that NSX uses HAProxy in the background for load balancing, is there anyway to dig further into NSX and update HAProxy and/or the OpenSSL libraries? Since the vulnerability is in the OpenSSL libraries my assumption is that either needs to be updated by VMware within a NSX patch or perhaps it can be updated separately.


Has anyone else run into this vulnerability? Has anyone found any way to mitigate or resolve?

0 Kudos
7 Replies
admin
Immortal
Immortal

SnowRanger,

Please contact me direclty so we can look into this.  hparrott@vmware.com

-Heath

0 Kudos
Luis_Franco
Contributor
Contributor

I have the same problem but for vCenter 6 U2. I'd be glad to hear when will VMware solve this.

0 Kudos
gogodiego619
Contributor
Contributor

I am having the same exact issue as @Luis_Franco. Please let me know if there is a solution.


Thanks,

0 Kudos
admin
Immortal
Immortal

There are fixes for NSX (Edge Services Gateway - Load Balancer) and vSphere in the works.

0 Kudos
gogodiego619
Contributor
Contributor

Is there an ETA on when a fix will come out?

0 Kudos
admin
Immortal
Immortal

NSX - Jan 2017 time frame,  for vSphere it is looking like a patch release TBD.   If your concern is vSphere please open a SR on it. The information I am getting is

6.0u3 due out late February.

0 Kudos
Bleeder
Hot Shot
Hot Shot

Did the fix make it into vSphere 6.5?

0 Kudos