VMSA-2014-0006:VMware product updates address OpenSSL security vulnerabilities
23447
08 June 2014
08 June 2014
CLOSED
CRITICAL
CVE-2014-0224,CVE-2014-0198,CVE-2010-5298,CVE-2014-3470
VMSA-2014-0006.11
VMware product updates address OpenSSL security vulnerabilities
VMware Security Advisory
1. Summary
VMware product updates address OpenSSL security vulnerabilities.
2. Relevant Releases
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
ESXi 5.0 without patch ESXi500-201407401-SG
Workstation 10.x prior to 10.0.3
Workstation 9.x prior to 9.0.4
Player 6.x prior to 6.0.3
Player 5.x prior to 5.0.4
Fusion 6.x prior to 6.0.4
Fusion 5.x prior to 5.0.5
Horizon View prior to 5.3.2
Horizon View 5.3 Feature Pack X prior to Feature Pack 3
Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0-1876270.x86_64.rpm
Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-1.8.2.1820-1876338.x86_64.rpm
Horizon View Clients prior to 3.0
vCD 5.5.x prior to 5.5.1.2
vCD 5.1.x prior to 5.1.3.1
vCenter prior to 5.5u1b
vCenter prior to 5.1 U2a
vCenter prior to 5.0U3a
vCenter Support Assistant prior to 5.5.1.1
vCloud Automation Center prior to 6.0.1.2
vCenter Configuration Manager prior to 5.7.2
vCenter Converter Standalone prior to 5.5.2
Converter Standalone prior to 5.1.1
Usage Manager prior to 3.3
ITBM Standard prior to 1.1
vCenter Operations Manager prior to 5.8.2
vCenter Operations Manager prior to 5.7.3
vCenter Chargeback Manager 2.6 prior to 2.6.0.1
vCloud Networking and Security prior to 5.5.2.1
vCloud Networking and Security prior to 5.1.4.1
vSphere PowerCLI 5.x
vCSA prior to 5.5u1b
vCSA prior to 5.1u2a
vCSA prior to 5.0u3a
OVF Tool prior to 5.3.2
Update Manager prior to 5.5u1b
VDDK prior to 5.5.2
VDDK prior to 5.1.3
VDDK prior to 5.0.4
NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
NVP 3.0.x prior to 3.2.3
NSX 6.0.x for vSphere prior to 6.0.5
vFabric Web Server 5.x
Pivotal Web Server prior to 5.4.1
vCenter Site Recovery Manager prior to 5.5.1.1
vCenter Site Recovery Manager prior to 5.1.2.1
vCenter Site Recovery Manager prior to 5.0.3.2
vSphere Replication prior to 5.8
vSphere Replication prior to 5.5.1.1
vSphere SDK for Perl prior to 5.5 Update 2
vSphere Data Protection prior to 5.5.7
3. Problem Description
a. OpenSSL update for multiple products.
OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues. The most important of these issues is CVE-2014-0224.
CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration.
CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products.
CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients.
CVE-2014-0224 may affect products differently depending on whether the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios.
MITIGATIONS
- Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below).
- Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below).
- Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers.
VMware recommends customers consider applying patches to products listed in Table 2 & 3 as required.
Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available.
Table 1
Affected servers running a vulnerable version of OpenSSL 1.0.1.
VMware Product
Product Version
Running on
Replace with / Apply Patch
Table 2
Affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over an untrusted network.
VMware Product
Product Version
Running on
Replace with / Apply Patch
Store
Table 3
The following table lists all affected clients
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over a trusted or isolated network.
VMware Product
Product Version
Running on
Replace with / Apply Patch
4. Solution
Big Data Extensions 2.0.0
Downloads and Documentation:
https://www.vmware.com/go/download-bde
ESXi 5.5, 5.1 and 5.0
Download:
https://www.vmware.com/patchmgr/findPatch.portal
Horizon View Clients
Downloads and Documentation:
https://www.vmware.com/go/viewclients
vCD 5.5.1.2
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vCenter Server 5.5u1b, 5.1u2a and 5.0u3a
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCenter Operations Manager for View 1.6
Downloads and Documentation:
https://www.vmware.com/go/download-vcops-view
vCSA 5.5u1b, 5.1u2a and 5.0u3a
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
Update Manager 5.5u1b
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
VDDK 5.x
Downloads and Documentation:
https://www.vmware.com/support/developer/vddk
vCenter Configuration Manager (VCM) 5
Downloads and Documentation:
https://www.vmware.com/go/download_vcm
vCenter Operations Manager 5.8 and 5.7.3
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere-ops-mgr
OVF Tool 3.5.2
Download:
https://www.vmware.com/support/developer/ovf/
vCenter Converter Standalone 5.5.2
Downloads and Documentation:
https://www.vmware.com/go/download-converter
Usage Manager 3.3
Downloads and Documentation:
https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter
Horizon View 5
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon View 5.3 Feature Pack 3
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon Workspace Server 1.5 and 1.8.x
Release Notes and download:
http://kb.vmware.com/kb/2082181
Workstation
https://www.vmware.com/go/downloadworkstation
Fusion
https://www.vmware.com/go/downloadfusion
VMware Player
https://www.vmware.com/go/downloadplayer
vCenter Server 5.1 Update 2a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1
vCenter Server 5.0 Update 3a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_0
vCloud Networking and Security 5.5.2.1
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId=353&rPId=5255
vCloud Networking and Security 5.1.4.1
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId=285&rPId=5131
NSX for Multi-Hypervisor, NSX for vSphere and NVP
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx
vCD 5.5.1.2 and vCD 5.1.3.1
Download link:
https://www.vmware.com/go/download-vcd-ns
VMware vCenter Chargeback Manager
Download link:
https://www.vmware.com/go/download-chargeback
Converter Standalone 5.1.1
Download link:
https://www.vmware.com/go/download-converter
vCenter Support Assistant
Downloads:
https://www.vmware.com/go/download-vsphere
Pivotal Web Server 5.4.1
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541&productId=335&rPId=6214
vCloud Automation Center
Downloads:
https://www.vmware.com/go/download-vcac
vCenter Site Recovery Manager 5.5.1.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081861
vSphere Replication 5.8
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId=353
vSphere Replication 5.5.1.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2082666
vCenter Site Recovery Manager 5.1.2.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081860
vCenter Site Recovery Manager 5.0.3.2
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081859
ITBM Standard 1.1
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&productId=384&rPId=6384
Release Notes:
https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-notes.html
vSphere SDK for Perl 5.5 Update 2
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&rPId=6436
Release Notes:
https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-58-release-notes.html
vSphere Data Protection 5.5.7
Download:
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGroup=VDP55_7
Release Notes:
https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
https://www.openssl.org/news/secadv_20140605.txt
http://www.gopivotal.com/security/cve-2014-0224
VMware Knowledge Base Article 2082132
http://kb.vmware.com/kb/2082132
6. Change Log
2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10
2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12
2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17
2014-06-24 VMSA-2014-0006.3
Updated security advisory in conjunction with the release ofHorizon View 5.3.2, Horizon View 5.3 Feature Pack 3, vCenter Configuration Manager 5.7.2, vCenter Converter Standalone 5.5.2, vCenter Operations Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24
2014-07-01 VMSA-2014-0006.4
Updated security advisory in conjunction with the release of ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4, Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1, vCenter Chargeback Manager 2.6.0.1, vCloud Networking and Security 5.5.2.1 and 5.1.4.1, NSX for Multi-Hypervisor 4.1.3, NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and NSX 6.0.5 for vSphere on 2014-07-01
2014-07-03 VMSA-2014-0006.5
Updated security advisory in conjunction with the release of Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support Assistant 5.5.1.1 on 2014-07-03
2014-07-08 VMSA-2014-0006.6
Updated security advisory in conjunction with the release of vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 on 2014-07-08
2014-07-10 VMSA-2014-0006.7
Updated security advisory in conjunction with the release of vCloud Automation Center 6.0.1.2 and vCenter Operations Manager 5.7.3 on 2014-07-10
2014-07-18 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17
2014-07-22 VMSA-2014-0006.9
Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22
2014-09-09 VMSA-2014-0006.10
Updated security advisory in conjunction with the release of patches for ITBM Standard 1.1, vSphere Replication 5.8 and vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric Application Director has been removed from the table above as it is not affected by this issue.
2014-10-09 VMSA-2014-0006.11
Updated security advisory in conjunction with the release of vSphere Data Protection 5.5.7 on 2014-10-09
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
- security-announce at lists.vmware.com
- bugtraq at securityfocus.com
- fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.