ESXi 5.5 affected by OpenSSL CVE-2014-0160 aka Heartbleed

[Last Update April 19, 2014 - Patches available]

There are a lot of news according to the recently published OpenSSL vulnerability. The bug, also known as "Heartbleed", allows attackers to steal informations that are protected by the SSL/TLS encryption.

Is VMware ESXi and the vCenter affected?
There is currently no official statement from VMware regarding this issue. After some research I found affected versions im VMware products. Here are my findings:

The affected versions are OpenSSL 1.0.1 through 1.0.1f.

Likely Affected

  • VMware ESXi 5.5 (GA and U1)
~ # openssl version
OpenSSL 1.0.1e 11 Feb 2013
~ # vmware --version
VMware ESXi 5.5.0 build-1623387

According to this, ESXi 5.5 is vulnerable. The test scrips available here also reports ESXi 5.5 hosts to be affected.

Possibly Affected

  • VMware vCenter Server 5.5

I could find an affected binary of OpenSSL in the vCenter Server 5.5 directory but it is actually not in use by any services. So I assume the vCenter to be safe. I've also tested various scripts and did not get a positive response.

Not Affected

  • VMware ESXi 5.1
  • VMware ESXi 5.0
  • VMware ESXi 4.1
  • VMware ESXi 5.0

All these products are using an older and not affected version of OpenSSL (OpenSSL 0.9.8).

References

[Update] VMware published KB2076225 regarding this issue

[Update] VMware has confirmed these products to be affected:

  • ESXi 5.5
  • NSX-MH 4.x
  • NSX-V 6.0.x
  • NVP 3.x
  • vCenter Server 5.5
  • vFabric Web Server 5.0.x – 5.3.x
  • VMware Fusion 6.0.x
  • VMware Horizon Mirage Edge Gateway 4.4.x
  • VMware Horizon View 5.3 Feature Pack 1
  • VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x
  • VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x
  • VMware Horizon View Client for Windows 2.3.x
  • VMware Horizon Workspace 1.0
  • VMware Horizon Workspace 1.5
  • VMware Horizon Workspace 1.8
  • VMware Horizon Workspace Client for Macintosh 1.5.1
  • VMware Horizon Workspace Client for Macintosh 1.5.2
  • VMware Horizon Workspace Client for Windows 1.5.1
  • VMware Horizon Workspace Client for Windows 1.5.2
  • VMware Horizon Workspace for Macintosh 1.8
  • VMware Horizon Workspace for Windows 1.8
  • VMware OVF Tool 3.5.0
  • VMware vCloud Automation Center (vCAC) 6.x
  • VMware vCloud Networking and Security (vCNS) 5.1.3
  • VMware vCloud Networking and Security (vCNS) 5.5.1

[Update] VMware pusblished a Security Advisory

  1. There is a KB published about the issue already http://kb.vmware.com/kb/2076225 along with a Official Blog Response http://t.co/wa5BDFiL8J so please include the reference

    @mandivs

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>