VMSA-2014-0004:VMware product updates address OpenSSL security vulnerabilities
23445
12 April 2014
12 April 2014
CLOSED
CRITICAL
CVE-2014-0076,CVE-2014-0160
VMSA-2014-0004.7
VMware product updates address OpenSSL security vulnerabilities
VMware Security Advisory
1. Summary
VMware product updates address OpenSSL security vulnerabilities.
2. Relevant Releases
VMware vCenter Server 5.5
VMware vCenter Server 5.5 Update 1
ESXi 5.5 without patch ESXi550-201404020
ESXi 5.5 Update 1 without patch ESXi550-201404001
VMware Workstation 10.x prior to version 10.0.2
VMware Fusion 6.x prior to version 6.0.3
VMware Player 6.x prior to version 6.0.2
NSX for Multi-Hypervisor 4.0.x prior to 4.0.2
NSX for Multi-Hypervisor 4.1.x prior to 4.1.1
NSX 6.0.x for vSphere prior to 6.0.4
NVP 3.x prior to 3.2.2
Horizon View 5.3 Feature Pack 1
Horizon View Client 2.1.x, 2.2.x and 2.3.x for Android and IOS
Horizon View Client 2.3.x for Windows
Horizon Workspace Server 1.0
Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0-1736237.x86_64
Horizon Workspace Server 1.8.x prior to 1.8.1
Horizon Workspace Client 1.5.x
Horizon Workspace Client 1.8 prior to 1.8.1
OVF Tool prior to 3.5.1
VMware vCloud Networking and Security (vCNS) 5.5.1
VMware vCloud Networking and Security (vCNS) 5.1.3
vCloud Automation Center (vCAC) 6.x
vSphere Big Data Extensions 1.1
Client Integration Plug-In 5.5
vCloud Director 5.5
3. Problem Description
a. Information Disclosure vulnerability in OpenSSL third party library
The OpenSSL library is updated to version openssl-1.0.1g to resolve multiple security issues
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0076 and CVE-2014-0160 to these issues.
CVE-2014-0160 is known as the Heartbleed issue. More information on this issue may be found in the reference section.
To remediate the issue for products that have updated versions or patches available, perform these steps:
- Deploy the VMware product update or product patches
- Replace certificates per the product-specific documentation
- Reset passwords per the product-specific documentation
Section 4 lists product-specific references to installation instructions and certificate management documentation.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
Note: Products that are not affected by thses issues have been documented in VMware Knowledge Base article 2076225.
VMware Product
Product Version
Running on
Replace with / Apply Patch
horizon-nginx-rpm-1.5.0.0-1736237.x86_64
1736237.x86_64
see important note below
Linux
CIP used with vCloud Director: vCD 5.5.1.1
CIP used with vCHS:see reference in section 4
Note:
* VMware Horizon View 5.3 Feature Pack 1: Only the HTML Access component in the Remote Experience Agent is affected
** Administrators that have updated to Horizon Workspace Server 1.8.1 between 4/14/14 and 4/19/14 will need to update to the latest version listed in the table
*** The Client Integration Plug-In installs the OVF Tool and is used with vCD, vCHS, and vSphere for browser OVF file upload
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Server 5.5.0c / vCenter Server 5.5 Update 1a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5
Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2076692
ESXi 5.5 / ESXi 5.5 Update 1
Download:
https://www.vmware.com/patchmgr/download.portal
Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2076665
Workstation 10.x
https://www.vmware.com/go/downloadworkstation
Fusion 6.x
https://www.vmware.com/go/downloadfusion
VMware Player 6.x
https://www.vmware.com/go/downloadplayer
NSX for Multi-Hypervisor, NSX for vSphere and NVP
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx
Horizon View 5.3 Feature Pack 2
Remediation Instructions and Download:
http://kb.vmware.com/kb/2076796
Release Notes:
https://www.vmware.com/support/view53/doc/horizon-view-53-feature-pack-2-release-notes.html
Horizon View Client 2.3.3 for Android, IOS and Windows
Release Notes, Remediation Instructions and Download:
http://kb.vmware.com/kb/2076796
Horizon Workspace Server 1.5
File: horizon-nginx-rpm-1.5.0.0-1736237.x86_64.rpm
md5sum: bc4cc609f926701cac2b199f895ab16d
sha1sum: fa456e042698a2cb19077fbd2199d948532af0c8
Release Notes and Download:
http://kb.vmware.com/kb/2076551
Horizon Workspace Server 1.8.1
Download:
https://my.vmware.com/group/vmware/get-download?downloadGroup=HZNWS181
Release Notes:
https://www.vmware.com/support/horizon_workspace/doc/hw_release_notes_181.html
Horizon Workspace Client 1.8.1
Download:
https://my.vmware.com/web/vmware/details?productId=323&downloadGroup=HZNWS180
Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2076783
OVF Tool 3.5.1
Download:
https://www.vmware.com/support/developer/ovf/
vCloud Networking and Security 5.5.2
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId=353&rPId=5255
Release Notes and Remediation Instructions
https://www.vmware.com/support/vshield/doc/releasenotes_vshield_552.html
Best practices for upgrading to VMware vCloud Networking and Security 5.5.2
http://kb.vmware.com/kb/2076534
vCloud Networking and Security 5.1.4
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId=285&rPId=5131
Release Notes and Remediation Instructions:
https://www.vmware.com/support/vshield/doc/releasenotes_vshield_514.html
Best practices for upgrading to VMware vCloud Networking and Security 5.1.4
http://kb.vmware.com/kb/2076531
vCloud Automation Center (vCAC) 6.0.1
Release Notes, Remediation Instructions and Download:
http://kb.vmware.com/kb/2076869
Big Data Extensions 1.1 Update
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=BDE_110_GA&productId=353&rPId=5257
Remediation Instructions:
http://kb.vmware.com/kb/2076855
Client Integration Plug-In (CIP)
For vSphere 5.5: See vCenter Server 5.5.0c / vCenter Server 5.5
Update 1a in this section.
For vCD 5.5: vCD 5.5.1.1
Release Notes and Remediation Instructions
http://kb.vmware.com/kb/2076891
For vCHS: See http://blogs.vmware.com/vcloud/2014/04/ovf-upload-browser-plugin-vuln.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
VMware Knowledge Base article 2076225.
http://kb.vmware.com/kb/2076225
The Heartbleed Bug
http://heartbleed.com/
6. Change Log
2014-04-14 VMSA-2014-0004
Initial security advisory in conjunction with the release of Horizon Workspace Server 1.8 and 1.5 updates on 2014-04-14
2014-04-16 VMSA-2014-0004.2
Updated security advisory in conjunction with the release of vCloud Networking and Security 5.5.2 and 5.1.4 on 2014-04-16
2014-04-17 VMSA-2014-0004.3
Updated security advisory in conjunction with the release of Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon Workspace Client 1.8.1 on 2014-04-17
2014-04-18 VMSA-2014-0004.4
Updated security advisory in conjunction with the release of NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and Horizon View Clients 2.3.3 on 2014-04-18
2014-04-19 VMSA-2014-0004.5
Updated security advisory in conjunction with the release of vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and 4.1.1, NSX 3.2.2, OVF Tool 3.5.1, vCloud Automation Center (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration Plug-In 5.5 on 2014-04-19
2014-04-20 VMSA-2014-0004.6
Updated security advisory in conjunction with the release of vCloud Director 5.5.1.1 on 2014-04-20
2014-04-22 VMSA-2014-0004.7
Updated security advisory wording and clarified vCNS version numbering after customer feedback on 2014-04-22
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.