[Last Update April 19, 2014 - Patches available]
There are a lot of news according to the recently published OpenSSL vulnerability. The bug, also known as "Heartbleed", allows attackers to steal informations that are protected by the SSL/TLS encryption.
Is VMware ESXi and the vCenter affected?
There is currently no official statement from VMware regarding this issue. After some research I found affected versions im VMware products. Here are my findings:
The affected versions are OpenSSL 1.0.1 through 1.0.1f.
Likely Affected
- VMware ESXi 5.5 (GA and U1)
~ # openssl version OpenSSL 1.0.1e 11 Feb 2013 ~ # vmware --version VMware ESXi 5.5.0 build-1623387
According to this, ESXi 5.5 is vulnerable. The test scrips available here also reports ESXi 5.5 hosts to be affected.
Possibly Affected
- VMware vCenter Server 5.5
I could find an affected binary of OpenSSL in the vCenter Server 5.5 directory but it is actually not in use by any services. So I assume the vCenter to be safe. I've also tested various scripts and did not get a positive response.
Not Affected
- VMware ESXi 5.1
- VMware ESXi 5.0
- VMware ESXi 4.1
- VMware ESXi 5.0
All these products are using an older and not affected version of OpenSSL (OpenSSL 0.9.8).
References
[Update] VMware published KB2076225 regarding this issue
[Update] VMware has confirmed these products to be affected:
- ESXi 5.5
- NSX-MH 4.x
- NSX-V 6.0.x
- NVP 3.x
- vCenter Server 5.5
- vFabric Web Server 5.0.x – 5.3.x
- VMware Fusion 6.0.x
- VMware Horizon Mirage Edge Gateway 4.4.x
- VMware Horizon View 5.3 Feature Pack 1
- VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x
- VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x
- VMware Horizon View Client for Windows 2.3.x
- VMware Horizon Workspace 1.0
- VMware Horizon Workspace 1.5
- VMware Horizon Workspace 1.8
- VMware Horizon Workspace Client for Macintosh 1.5.1
- VMware Horizon Workspace Client for Macintosh 1.5.2
- VMware Horizon Workspace Client for Windows 1.5.1
- VMware Horizon Workspace Client for Windows 1.5.2
- VMware Horizon Workspace for Macintosh 1.8
- VMware Horizon Workspace for Windows 1.8
- VMware OVF Tool 3.5.0
- VMware vCloud Automation Center (vCAC) 6.x
- VMware vCloud Networking and Security (vCNS) 5.1.3
- VMware vCloud Networking and Security (vCNS) 5.5.1
[Update] VMware pusblished a Security Advisory
There is a KB published about the issue already http://kb.vmware.com/kb/2076225 along with a Official Blog Response http://t.co/wa5BDFiL8J so please include the reference
@mandivs