We have a number of websites running behind NSX using the built in load balancing, when testing our sites against SSL Labs (SSL Server Test (Powered by Qualys SSL Labs) we get an F rating due to Padding Oracle vulnerability - CVE-2016-2107
We were on NSX 6.2.2 originally, and have recently updated to NSX 6.2.4 which disabled TLS 1.0 by default but the vulnerability still exists.
Info from OpenSSL: https://www.openssl.org/news/secadv/20160503.txt
Additional info on the vulnerability from a blog post: Yet Another Padding Oracle in OpenSSL CBC Ciphersuites
I would have thought that the latest NSX 6.2.4 patch would have resolved this as this has been a known vulnerability marked as critical since May. I've been researching this issue for a while and haven't found much info and I'm a bit surprised as I thought more people would be using these features.
It's my understanding that NSX uses HAProxy in the background for load balancing, is there anyway to dig further into NSX and update HAProxy and/or the OpenSSL libraries? Since the vulnerability is in the OpenSSL libraries my assumption is that either needs to be updated by VMware within a NSX patch or perhaps it can be updated separately.
Has anyone else run into this vulnerability? Has anyone found any way to mitigate or resolve?
NSX - Jan 2017 time frame, for vSphere it is looking like a patch release TBD. If your concern is vSphere please open a SR on it. The information I am getting is
6.0u3 due out late February.