Sign up for Security
Advisories

Enter your email address:


VMSA-2014-0004.7

VMware product updates address OpenSSL security vulnerabilities

VMware Security Advisory
Advisory ID: VMSA-2014-0004.7
Synopsis: VMware product updates address OpenSSL security vulnerabilities
Issue date: 2014-04-14
Updated on: 2014-04-22
CVE numbers: CVE-2014-0076 and CVE-2014-0160
1. Summary

VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

VMware vCenter Server 5.5
VMware vCenter Server 5.5 Update 1

ESXi 5.5 without patch ESXi550-201404020
ESXi 5.5 Update 1 without patch ESXi550-201404001

VMware Workstation 10.x prior to version 10.0.2

VMware Fusion 6.x prior to version 6.0.3

VMware Player 6.x prior to version 6.0.2

NSX for Multi-Hypervisor 4.0.x prior to 4.0.2
NSX for Multi-Hypervisor 4.1.x prior to 4.1.1
NSX 6.0.x for vSphere prior to 6.0.4
NVP 3.x prior to 3.2.2

Horizon Mirage Edge Gateway 4.4.x prior to 4.4.2

Horizon View 5.3 Feature Pack 1
Horizon View Client 2.1.x, 2.2.x and 2.3.x for Android and IOS
Horizon View Client 2.3.x for Windows

Horizon Workspace Server 1.0
Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0-1736237.x86_64
Horizon Workspace Server 1.8.x prior to 1.8.1

Horizon Workspace Client 1.5.x
Horizon Workspace Client 1.8 prior to 1.8.1

OVF Tool prior to 3.5.1

VMware vCloud Networking and Security (vCNS) 5.5.1
VMware vCloud Networking and Security (vCNS) 5.1.3

vCloud Automation Center (vCAC) 6.x
 
vSphere Big Data Extensions 1.x

Client Integration Plug-In 5.5

vCloud Director 5.5

3. Problem Description

a. Information Disclosure vulnerability in OpenSSL third party library

The OpenSSL library is updated to version openssl-1.0.1g to resolve multiple security issues

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0076 and CVE-2014-0160 to these issues.

CVE-2014-0160 is known as the Heartbleed issue. More information on this issue may be found in the reference section.

To remediate the issue for products that have updated versions or patches available, perform these steps:

  • Deploy the VMware product update or product patches
  • Replace certificates per the product-specific documentation
  • Reset passwords per the product-specific documentation


Section 4 lists product-specific references to installation instructions and certificate management documentation.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

Note: Products that are not affected by thses issues have been documented in VMware Knowledge Base article 2076225.

VMware Product Running Replace with / 
Product Version on Apply Patch
==========
=====
=====
==================
vCenter Server 5.5 any 5.5.0c
vCenter Server 5.5 U1 any 5.5 Update 1a
ESXi 5.5 ESXi ESXi550-201404420
ESXi 5.5 U1 ESXi ESXi550-201404401
Workstation 10.x any 10.0.2 or later
Fusion 6.x OSX 6.0.3 or later
Player 6.x any 6.0.2 or later
NSX for Multi-Hypervisor 4.0.x 4.0.2 or later
NSX for Multi-Hypervisor 4.1.x 4.1.1 or later
NSX for vSphere
6.0.x 6.0.4 or later
NVP 3.x 3.2.2 or later
Horizon Mirage Edge Gateway 4.4.x

4.4.2 or later

Horizon View Feature Pack* 5.3 FP 1 Feature Pack 2 or later
Horizon View Client 2.1.x Android 2.3.3 or later
Horizon View Client 2.2.x Android 2.3.3 or later
Horizon View Client 2.3.x Android 2.3.3 or later
Horizon View Client 2.1.x IOS 2.3.3 or later
Horizon View Client 2.2.x IOS 2.3.3 or later
Horizon View Client 2.3.x IOS 2.3.3 or later
Horizon View Client 2.3.x Windows 2.3.3 or later
Horizon Workspace Server 1.0 Horizon Workspace Server 1.5 and apply patch
horizon-nginx-rpm-1.5.0.0-1736237.x86_64
Horizon Workspace Server 1.5.x horizon-nginx-rpm-1.5.0.0-
1736237.x86_64
Horizon Workspace Server 1.8 1.8.1 or later **
see important note below
Horizon Workspace Client
1.5.1 OSX 1.8.1 or later
Horizon Workspace Client
1.5.2 OSX 1.8.1 or later
Horizon Workspace Client
1.5.1 Windows 1.8.1 or later
Horizon Workspace Client
1.5.2 Windows 1.8.1 or later
Horizon Workspace for Macintosh 1.8 OSX 1.8.1 or later
Horizon Workspace for Windows
1.8 Windows 1.8.1 or later
OVF Tool 3.5.0 3.5.1
vCloud Networking and Security 5.5.1 vCNS 5.5.2
vCloud Networking and Security 5.1.3 vCNS 5.1.4
vCloud Automation Center (vCAC) 6.x 6.0.1 + patch
vSphere Big Data Extensions
1.x 1.1 Update
Client Integration Plug-In *** 5.5 Windows/
Linux
CIP used with vSphere: vSphere 5.5.0c or vSphere 5.5 Update 1a.
CIP used with vCloud Director: vCD 5.5.1.1
CIP used with vCHS:see reference in section 4

 Note:

*   VMware Horizon View 5.3 Feature Pack 1: Only the HTML Access component in the Remote Experience Agent is affected

**  Administrators that have updated to Horizon Workspace Server 1.8.1 between 4/14/14 and 4/19/14 will need to update to the latest version listed in the table
 
*** The Client Integration Plug-In installs the OVF Tool and is used with vCD, vCHS, and vSphere for browser OVF file upload

4. Solution

Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.

vCenter Server 5.5.0c /  vCenter Server 5.5 Update 1a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5

Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2076692

ESXi 5.5 / ESXi 5.5 Update 1
Download:
https://www.vmware.com/patchmgr/download.portal

Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2076665

Workstation 10.x
https://www.vmware.com/go/downloadworkstation

Fusion 6.x
https://www.vmware.com/go/downloadfusion

VMware Player 6.x
https://www.vmware.com/go/downloadplayer

NSX for Multi-Hypervisor, NSX for vSphere and NVP
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx

Horizon Mirage Edge Gateway 4.4.2
File: VMware.Horizon.Mirage.442.41428.zip
md5sum: 3202f5c41a99422ad66355410c45e09e
sha1sum: a37654ac31a1a305160d4bcf5081d2f3d7ea1c20

Release Notes, Remediation Instructions and Download:
https://my.vmware.com/group/vmware/details?downloadGroup=MIRAGE-442&productId=322&rPId=5435

Horizon View 5.3 Feature Pack 2
Remediation Instructions and Download:
http://kb.vmware.com/kb/2076796

Release Notes:
https://www.vmware.com/support/view53/doc/horizon-view-53-feature-pack-2-release-notes.html
 
Horizon View Client 2.3.3 for Android, IOS and Windows
Release Notes, Remediation Instructions and Download:
http://kb.vmware.com/kb/2076796

Horizon Workspace Server 1.5
File: horizon-nginx-rpm-1.5.0.0-1736237.x86_64.rpm
md5sum: bc4cc609f926701cac2b199f895ab16d
sha1sum: fa456e042698a2cb19077fbd2199d948532af0c8

Release Notes and Download:
http://kb.vmware.com/kb/2076551

Horizon Workspace Server 1.8.1
Download:
https://my.vmware.com/group/vmware/get-download?downloadGroup=HZNWS181

Release Notes:
https://www.vmware.com/support/horizon_workspace/doc/hw_release_notes_181.html

Horizon Workspace Client 1.8.1

Download:
https://my.vmware.com/web/vmware/details?productId=323&downloadGroup=HZNWS180
 
Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2076783

OVF Tool 3.5.1
Download:
https://www.vmware.com/support/developer/ovf/

vCloud Networking and Security 5.5.2
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId=353&rPId=5255

Release Notes and Remediation Instructions
https://www.vmware.com/support/vshield/doc/releasenotes_vshield_552.html

Best practices for upgrading to VMware vCloud Networking and Security 5.5.2
http://kb.vmware.com/kb/2076534

vCloud Networking and Security 5.1.4
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId=285&rPId=5131

Release Notes and Remediation Instructions:
https://www.vmware.com/support/vshield/doc/releasenotes_vshield_514.html

Best practices for upgrading to VMware vCloud Networking and Security 5.1.4
http://kb.vmware.com/kb/2076531

vCloud Automation Center (vCAC) 6.0.1
Release Notes, Remediation Instructions and Download:
http://kb.vmware.com/kb/2076869

Big Data Extensions 1.1 Update
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=BDE_110_GA&productId=353&rPId=5257

Remediation Instructions:
http://kb.vmware.com/kb/2076855

Client Integration Plug-In (CIP)
For vSphere 5.5: See vCenter Server 5.5.0c / vCenter Server 5.5
Update 1a in this section.

For vCD 5.5: vCD 5.5.1.1
Release Notes and Remediation Instructions
http://kb.vmware.com/kb/2076891

For vCHS: See http://blogs.vmware.com/vcloud/2014/04/ovf-upload-browser-plugin-vuln.html

6. Change Log

2014-04-14 VMSA-2014-0004
Initial security advisory in conjunction with the release of Horizon Workspace Server 1.8 and 1.5 updates on 2014-04-14

2014-04-15 VMSA-2014-0004.1
Updated security advisory in conjunction with the release of Horizon Mirage Edge Gateway 4.4.2 patch on 2014-04-15

2014-04-16 VMSA-2014-0004.2
Updated security advisory in conjunction with the release of vCloud Networking and Security 5.5.2 and 5.1.4 on 2014-04-16

2014-04-17 VMSA-2014-0004.3
Updated security advisory in conjunction with the release of Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon Workspace Client 1.8.1 on 2014-04-17

2014-04-18 VMSA-2014-0004.4
Updated security advisory in conjunction with the release of NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and Horizon View Clients 2.3.3 on 2014-04-18

2014-04-19 VMSA-2014-0004.5
Updated security advisory in conjunction with the release of vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and 4.1.1, NSX 3.2.2, OVF Tool 3.5.1, vCloud Automation Center (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration Plug-In 5.5 on 2014-04-19

2014-04-20 VMSA-2014-0004.6
Updated security advisory in conjunction with the release of vCloud Director 5.5.1.1 on 2014-04-20

2014-04-22 VMSA-2014-0004.7
Updated security advisory wording and clarified vCNS version numbering after customer feedback on 2014-04-22

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

Twitter
https://twitter.com/VMwareSRC

Copyright 2014 VMware Inc.  All rights reserved.