VMSA-2014-0006.11

VMware product updates address OpenSSL security vulnerabilities

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2014-0006.11
VMware Security Advisory Synopsis:
  VMware product updates address OpenSSL security vulnerabilities
VMware Security Advisory Issue date:
  2014-06-10
VMware Security Advisory Updated on:
  2014-10-09
VMware Security Advisory CVE numbers:
  CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
1. Summary


VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

 

Big Data Extensions prior to 2.0.0

ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
ESXi 5.0 without patch ESXi500-201407401-SG

Workstation 10.x prior to 10.0.3
Workstation 9.x prior to 9.0.4

Player 6.x prior to 6.0.3
Player 5.x prior to 5.0.4

Fusion 6.x prior to 6.0.4
Fusion 5.x prior to 5.0.5

 

Horizon Mirage Edge Gateway prior to 4.4.3

Horizon View prior to 5.3.2
Horizon View 5.3 Feature Pack X prior to Feature Pack 3

Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0-1876270.x86_64.rpm
Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-1.8.2.1820-1876338.x86_64.rpm

Horizon View Clients prior to 3.0

vCD 5.5.x prior to 5.5.1.2
vCD 5.1.x prior to 5.1.3.1

vCenter prior to 5.5u1b
vCenter prior to 5.1 U2a
vCenter prior to 5.0U3a

 

vCenter Support Assistant prior to 5.5.1.1

 

vCloud Automation Center prior to 6.0.1.2

 

vCenter Configuration Manager prior to 5.7.2

vCenter Converter Standalone prior to 5.5.2
Converter Standalone prior to 5.1.1

Usage Manager prior to 3.3

 

ITBM Standard  prior to 1.1

 

vCenter Operations Manager prior to 5.8.2
vCenter Operations Manager prior to 5.7.3

vCenter Chargeback Manager 2.6 prior to 2.6.0.1

vCloud Networking and Security prior to 5.5.2.1
vCloud Networking and Security prior to 5.1.4.1

 

vSphere PowerCLI 5.x

 

vCSA prior to 5.5u1b
vCSA prior to 5.1u2a
vCSA prior to 5.0u3a

OVF Tool prior to 5.3.2

Update Manager prior to 5.5u1b

VDDK prior to 5.5.2
VDDK prior to 5.1.3
VDDK prior to 5.0.4

NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
NVP 3.0.x prior to 3.2.3
NSX 6.0.x for vSphere prior to 6.0.5

 

vFabric Web Server 5.x       

Pivotal Web Server prior to 5.4.1

 

vCenter Site Recovery Manager prior to 5.5.1.1
vCenter Site Recovery Manager  prior to 5.1.2.1
vCenter Site Recovery Manager  prior to 5.0.3.2

 

vSphere Replication prior to 5.8
vSphere Replication prior to 5.5.1.1

vSphere SDK for Perl prior to 5.5 Update 2

vSphere Data Protection prior to 5.5.7

 

3. Problem Description

a. OpenSSL update for multiple products.

OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298,  CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues.  The most important of these issues is CVE-2014-0224.

CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration.

CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products.

CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients.

CVE-2014-0224 may affect products differently depending on whether  the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios.

MITIGATIONS

  • Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below).
  • Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below).     
  • Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network.


RECOMMENDATIONS

VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers.

VMware recommends customers consider applying patches to products listed in Table 2 & 3 as required.

Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available.

 

Table 1

Affected servers running a vulnerable version of OpenSSL 1.0.1.

 

VMware Product
Product Version
Running on
Replace with /  Apply Patch
VMware Product ESXi
Product Version 5.5
Running on ESXi
Replace with /  Apply Patch ESXi550-201406401-SG
VMware Product Big Data Extensions
Product Version 1.1
Running on
Replace with /  Apply Patch 2.0.0
VMware Product vCenter Charge Back Manager
Product Version 2.6
Running on
Replace with /  Apply Patch 2.6.0.1
VMware Product Horizon Workspace Server
Product Version 1.5.x
Running on
Replace with /  Apply Patch horizon-nginx-rpm-1.5.0.0-1876270.x86_64.rpm
VMware Product Horizon Workspace Server
Product Version 1.8.x
Running on
Replace with /  Apply Patch horizon-nginx-rpm-1.8.2.1820-1876338.x86_64.rpm
VMware Product Horizon Mirage Edge Gateway
Product Version 4.4.x
Running on
Replace with /  Apply Patch 4.4.3
VMware Product Horizon View
Product Version 5.x
Running on
Replace with /  Apply Patch 5.3.2
VMware Product Horizon View Feature Pack
Product Version 5.x
Running on
Replace with /  Apply Patch 5.3 Feature Pack 3
VMware Product NSX for Multi-Hypervisor
Product Version 4.1.2
Running on
Replace with /  Apply Patch 4.1.3
VMware Product NSX for Multi-Hypervisor
Product Version 4.0.3
Running on
Replace with /  Apply Patch 4.0.4
VMware Product NSX for vSphere
Product Version 6.0.4
Running on
Replace with /  Apply Patch 6.0.5
VMware Product NVP
Product Version 3.2.2
Running on
Replace with /  Apply Patch 3.2.3
VMware Product vCloud Networking and Security
Product Version 5.5.2
Running on
Replace with /  Apply Patch 5.5.2.1
VMware Product vCloud Networking and Security
Product Version 5.1.4
Running on
Replace with /  Apply Patch 5.1.4.1
VMware Product Pivotal Web Server
Product Version 5.4
Running on
Replace with /  Apply Patch 5.4.1
VMware Product vFabric Web Server
Product Version 5.3.4
Running on
Replace with /  Apply Patch Pivotal Web Server 5.4.1

 

Table 2

 

Affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over an untrusted network.

VMware Product
Product Version
Running on
Replace with /  Apply Patch
VMware Product vCSA
Product Version 5.5
Running on
Replace with /  Apply Patch 5.5u1b
VMware Product vCSA
Product Version 5.1
Running on
Replace with /  Apply Patch 5.1u2a
VMware Product vCSA
Product Version 5.0
Running on
Replace with /  Apply Patch 5.0u3a
VMware Product ESXi
Product Version 5.1
Running on ESXi
Replace with /  Apply Patch ESXi510-201406401-SG
VMware Product ESXi
Product Version 5.0
Running on ESXi
Replace with /  Apply Patch ESXi500-201407401-SG
VMware Product Workstation
Product Version 10.x
Running on any
Replace with /  Apply Patch 10.0.3
VMware Product Workstation
Product Version 9.x
Running on any
Replace with /  Apply Patch 9.0.4
VMware Product Fusion
Product Version 6.x
Running on OSX
Replace with /  Apply Patch 6.0.4
VMware Product Fusion
Product Version 5.x
Running on OSX
Replace with /  Apply Patch 5.0.5
VMware Product Player
Product Version 6.x
Running on any
Replace with /  Apply Patch 6.0.3
VMware Product Player
Product Version 5.x
Running on any
Replace with /  Apply Patch 5.0.4
VMware Product vCenter Chargeback Manager
Product Version 2.5.x
Running on
Replace with /  Apply Patch 2.6.0.1
VMware Product Horizon Workspace Client
Product Version 1.x
Running on OSX
Replace with /  Apply Patch 1.8.2
VMware Product Horizon Workspace Client
Product Version 1.x
Running on Windows
Replace with /  Apply Patch 1.8.2
VMware Product Horizon View Client
Product Version 2.x
Running on Android
Replace with /  Apply Patch 3.0
VMware Product Horizon View Client
Product Version 2.x
Running on IOS
Replace with /  Apply Patch 3.0
VMware Product Horizon View Client
Product Version 2.x
Running on OSX
Replace with /  Apply Patch 3.0
VMware Product Horizon View Client
Product Version 2.x
Running on Windows
Replace with /  Apply Patch 3.0
VMware Product Horizon View Client
Product Version 2.x
Running on Windows
Store 
Replace with /  Apply Patch 3.0
VMware Product OVF Tool
Product Version 3.5.1
Running on
Replace with /  Apply Patch 3.5.2
VMware Product OVF Tool
Product Version 3.0.1
Running on
Replace with /  Apply Patch 3.5.2
VMware Product vCenter Operations Manager
Product Version 5.8.x
Running on
Replace with /  Apply Patch 5.8.2
VMware Product vCenter Operations Manager
Product Version 5.7.x
Running on
Replace with /  Apply Patch 5.7.3
VMware Product vCenter Support Assistant
Product Version 5.5.1
Running on
Replace with /  Apply Patch 5.5.1.1
VMware Product vCD
Product Version 5.5.1.x
Running on
Replace with /  Apply Patch 5.5.1.2
VMware Product vCD
Product Version 5.1.x
Running on
Replace with /  Apply Patch 5.1.3.1
VMware Product vCenter Site Recovery Manager
Product Version 5.5.x
Running on
Replace with /  Apply Patch 5.5.1.1
VMware Product vCenter Site Recovery Manager
Product Version 5.1.x
Running on
Replace with /  Apply Patch 5.1.2.1
VMware Product vCenter Site Recovery Manager
Product Version 5.0.3.x
Running on
Replace with /  Apply Patch 5.0.3.2
VMware Product vSphere Client
Product Version 5.5
Running on windows
Replace with /  Apply Patch 5.5u1b
VMware Product vSphere Client
Product Version 5.1
Running on windows
Replace with /  Apply Patch 5.1u2a
VMware Product vSphere Client
Product Version 5.0
Running on windows
Replace with /  Apply Patch 5.0u3a

 

Table 3

 

The following table lists all affected clients
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over a trusted or isolated network.

VMware Product
Product Version
Running on
Replace with /  Apply Patch
VMware Product vCenter Server
Product Version 5.5
Running on any
Replace with /  Apply Patch 5.5u1b
VMware Product vCenter Server
Product Version 5.1
Running on any
Replace with /  Apply Patch 5.1u2a
VMware Product vCenter Server
Product Version 5.0
Running on any
Replace with /  Apply Patch 5.0u3a
VMware Product Update Manager
Product Version 5.5
Running on windows
Replace with /  Apply Patch 5.5u1b
VMware Product vCenter ConfigurationManager (VCM)
Product Version 5.6
Running on
Replace with /  Apply Patch 5.7.2
VMware Product ITBM Standard
Product Version 1.0.1
Running on
Replace with /  Apply Patch 1.1
VMware Product ITBM Standard
Product Version 1.0
Running on
Replace with /  Apply Patch 1.1
VMware Product Studio
Product Version 2.6.0.0
Running on
Replace with /  Apply Patch patch pending
VMware Product Usage Meter
Product Version 3.3
Running on
Replace with /  Apply Patch 3.3.1
VMware Product vCenter Converter Standalone
Product Version 5.5
Running on
Replace with /  Apply Patch 5.5.2
VMware Product vCenter Converter Standalone
Product Version 5.1
Running on
Replace with /  Apply Patch 5.1.1
VMware Product vCloud Automation Center
Product Version 6.0.x
Running on
Replace with /  Apply Patch 6.0.1.2
VMware Product VIX API
Product Version 1.12
Running on
Replace with /  Apply Patch patch pending
VMware Product vMA (Management Assistant)
Product Version 5.5.0.1
Running on
Replace with /  Apply Patch patch pending
VMware Product vSphere Data Protection
Product Version 5.5.6
Running on
Replace with /  Apply Patch 5.5.7
VMware Product vSphere Data Protection
Product Version 5.1.11
Running on
Replace with /  Apply Patch patch pending
VMware Product vSphere Replication
Product Version 5.5.1
Running on
Replace with /  Apply Patch 5.5.1.1
VMware Product vSphere Replication
Product Version 5.6
Running on
Replace with /  Apply Patch 5.8
VMware Product vSphere SDK for Perl
Product Version 5.5
Running on
Replace with /  Apply Patch 5.5 Update 2
VMware Product VDDK
Product Version 5.5.x
Running on
Replace with /  Apply Patch 5.5.2
VMware Product VDDK
Product Version 5.1.x
Running on
Replace with /  Apply Patch 5.1.3
VMware Product VDDK
Product Version 5.0.x
Running on
Replace with /  Apply Patch 5.0.4
 
4. Solution

 

Big Data Extensions 2.0.0
Downloads and Documentation:
https://www.vmware.com/go/download-bde

ESXi 5.5, 5.1 and 5.0
Download:
https://www.vmware.com/patchmgr/findPatch.portal

Horizon Mirage Edge Gateway 4.4.3

Downloads and Documentation:
https://www.vmware.com/go/download-horizon-mirage

Horizon View Clients
Downloads and Documentation:
https://www.vmware.com/go/viewclients

vCD 5.5.1.2
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director

vCenter Server 5.5u1b, 5.1u2a and 5.0u3a
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

vCenter Operations Manager for View 1.6
Downloads and Documentation:
https://www.vmware.com/go/download-vcops-view

vCSA 5.5u1b, 5.1u2a and 5.0u3a
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

Update Manager 5.5u1b
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

VDDK 5.x
Downloads and Documentation:
https://www.vmware.com/support/developer/vddk

vCenter Configuration Manager (VCM) 5
Downloads and Documentation:
https://www.vmware.com/go/download_vcm

vCenter Operations Manager 5.8 and 5.7.3
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere-ops-mgr

OVF Tool 3.5.2
Download: 
https://www.vmware.com/support/developer/ovf/

vCenter Converter Standalone 5.5.2
Downloads and Documentation:
https://www.vmware.com/go/download-converter

Usage Manager 3.3
Downloads and Documentation:
https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter


Horizon View 5
Downloads and Documentation:
https://www.vmware.com/go/downloadview

Horizon View 5.3 Feature Pack 3
Downloads and Documentation:
https://www.vmware.com/go/downloadview

Horizon Workspace Server 1.5 and 1.8.x
Release Notes and download:
http://kb.vmware.com/kb/2082181

Workstation
https://www.vmware.com/go/downloadworkstation

Fusion
https://www.vmware.com/go/downloadfusion

VMware Player
https://www.vmware.com/go/downloadplayer

vCenter Server 5.1 Update 2a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1

vCenter Server 5.0 Update 3a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_0

vCloud Networking and Security 5.5.2.1
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId=353&rPId=5255

vCloud Networking and Security 5.1.4.1
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId=285&rPId=5131

NSX for Multi-Hypervisor, NSX for vSphere and NVP
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx

vCD 5.5.1.2 and vCD 5.1.3.1
Download link:
https://www.vmware.com/go/download-vcd-ns

VMware vCenter Chargeback Manager
Download link:
https://www.vmware.com/go/download-chargeback

Converter Standalone 5.1.1
Download link:
https://www.vmware.com/go/download-converter

vCenter Support Assistant
Downloads:
https://www.vmware.com/go/download-vsphere

Pivotal Web Server 5.4.1
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541&productId=335&rPId=6214

vCloud Automation Center
Downloads:
https://www.vmware.com/go/download-vcac

vCenter Site Recovery Manager 5.5.1.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081861

vSphere Replication 5.8
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId=353

vSphere Replication 5.5.1.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2082666

vCenter Site Recovery Manager 5.1.2.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081860

vCenter Site Recovery Manager 5.0.3.2
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081859

ITBM Standard 1.1
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&productId=384&rPId=6384

Release Notes:
https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-notes.html

vSphere SDK for Perl  5.5 Update 2
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&rPId=6436

Release Notes:
https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-58-release-notes.html

vSphere Data Protection 5.5.7
Download:
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGroup=VDP55_7

Release Notes:
https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html

 

6. Change Log

2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10

2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12

2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

2014-06-24 VMSA-2014-0006.3
Updated security advisory in conjunction with the release ofHorizon View 5.3.2, Horizon View 5.3 Feature Pack 3, vCenter Configuration Manager 5.7.2, vCenter Converter Standalone 5.5.2, vCenter Operations Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

2014-07-01 VMSA-2014-0006.4
Updated security advisory in conjunction with the release of ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4, Horizon Workspace Server 1.5.x and 1.8.x updates, vCD  5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1, vCenter Chargeback Manager 2.6.0.1, vCloud Networking and Security 5.5.2.1 and 5.1.4.1,  NSX for Multi-Hypervisor 4.1.3, NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and NSX 6.0.5 for vSphere on 2014-07-01

2014-07-03 VMSA-2014-0006.5
Updated security advisory in conjunction with the release of Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support Assistant 5.5.1.1 on 2014-07-03

2014-07-08 VMSA-2014-0006.6
Updated security advisory in conjunction with the release of vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 on 2014-07-08

2014-07-10 VMSA-2014-0006.7
Updated security advisory in conjunction with the release of vCloud Automation Center 6.0.1.2 and vCenter Operations Manager 5.7.3 on 2014-07-10

2014-07-18 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17

2014-07-22 VMSA-2014-0006.9
Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22

2014-09-09 VMSA-2014-0006.10
Updated security advisory in conjunction with the release of patches for ITBM Standard 1.1, vSphere Replication 5.8 and vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric Application Director has been removed from the table above as it is not affected by this issue.

2014-10-09 VMSA-2014-0006.11
Updated security advisory in conjunction with the release of vSphere Data Protection 5.5.7 on 2014-10-09

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • fulldisclosure at seclists.org


E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
 
Twitter
https://twitter.com/VMwareSRC

Copyright 2014 VMware Inc.  All rights reserved.

 

Sign up for Security Advisories

Enter your email address: