OpenSSL heartbleed bug – VMware products

hearthbleedMost probably you are aware about recent finding by The bug was independently discovered by security firm Codenomicon and a Google Security engineer. Heartbleed.com has a detailed explanation of the issue, which is related to the “heartbeat” section of OpenSSL’s transport layer security (TSL) protocols and has been in the wild since March 2012. If you’re running a server with OpenSSL 1.0.1 through 1.0.1f, it’s vital that you update to OpenSSL 1.0.1g immediately. Within next few days you should expect massive flow of the companies KB with list of products which are affected and unaffected by OpenSSL bug.

VMware already released KB 2076225 with a list of systems which are affected by this bug. Long story short if have old releases of VMware systems most probably you are not affected. Below you can find short-listed VMware products which are in the KB, to see full list of affected VMware products check mentioned KB article above.

These VMware products that ship with OpenSSL 1.0.1 have been confirmed to be affected:

  • ESXi 5.5
  • vCenter Server 5.5
  • VMware Fusion 6.0.x
  • VMware vCloud Automation Center (vCAC) 5.1.x
  • VMware vCloud Automation Center (vCAC) 5.2.x
  • VMware Horizon Mirage 4.4.0
  • vFabric Web Server 5.0.x – 5.3.x (For remediation details, see the Security Advisory on Critical Updates to vFabric Web Server document.)
  • VMware vCloud Networking and Security (vCNS) 5.1.3
  • VMware vCloud Networking and Security (vCNS) 5.5.1

These VMware products that ship with OpenSSL 0.9.8 have been confirmed to be unaffected:

  • ESXi/ESX 4.x
  • ESXi 5.0
  • ESXi 5.1
  • VMware Fusion 5.x
  • VMware vCenter Server 4.x
  • VMware vCenter Server 5.0
  • VMware vCenter Server 5.1
  • VMware vCenter Server Appliance (vCSA) 5.x
  • VMware vCloud Automation Center (vCAC) 6.x
Resolving hearthbleed issue in ESXi 5.5

VMware released first bunch of patches for their products related to hearthbleed bug discovered in OpenSSL library, see details below.

Resolving OpenSSL Heartbleed for ESXi 5.5 – CVE-2014-0160 (2076665).

Resolving hearthbleed issue in vCenter 5.5

VMware just released patch to solve hearthbleed issue in vCenter 5.5 – more info here KB: 2076692.

Artur Krzywdzinski

Artur is Consulting Architect at Nutanix. He has been using, designing and deploying VMware based solutions since 2005 and Microsoft since 2012. He specialize in designing and implementing private and hybrid cloud solution based on VMware and Microsoft software stacks, datacenter migrations and transformation, disaster avoidance. Artur holds VMware Certified Design Expert certification (VCDX #077).