Sign up for Security
Advisories

Enter your email address:


VMSA-2014-0006.11

VMware product updates address OpenSSL security vulnerabilities

VMware Security Advisory
Advisory ID: VMSA-2014-0006.11
Synopsis: VMware product updates address OpenSSL security vulnerabilities
Issue date: 2014-06-10
Updated on: 2014-10-09
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
1. Summary

VMware product updates address OpenSSL security vulnerabilities.
2. Relevant Releases

Big Data Extensions prior to 2.0.0

ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
ESXi 5.0 without patch ESXi500-201407401-SG

Workstation 10.x prior to 10.0.3
Workstation 9.x prior to 9.0.4

Player 6.x prior to 6.0.3
Player 5.x prior to 5.0.4

Fusion 6.x prior to 6.0.4
Fusion 5.x prior to 5.0.5

Horizon Mirage Edge Gateway prior to 4.4.3

Horizon View prior to 5.3.2
Horizon View 5.3 Feature Pack X prior to Feature Pack 3

Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0-1876270.x86_64.rpm
Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-1.8.2.1820-1876338.x86_64.rpm

Horizon View Clients prior to 3.0

vCD 5.5.x prior to 5.5.1.2
vCD 5.1.x prior to 5.1.3.1

vCenter prior to 5.5u1b
vCenter prior to 5.1 U2a
vCenter prior to 5.0U3a

vCenter Support Assistant prior to 5.5.1.1

vCloud Automation Center prior to 6.0.1.2

vCenter Configuration Manager prior to 5.7.2

vCenter Converter Standalone prior to 5.5.2
Converter Standalone prior to 5.1.1

Usage Manager prior to 3.3

ITBM Standard  prior to 1.1

vCenter Operations Manager prior to 5.8.2
vCenter Operations Manager prior to 5.7.3

vCenter Chargeback Manager 2.6 prior to 2.6.0.1

vCloud Networking and Security prior to 5.5.2.1
vCloud Networking and Security prior to 5.1.4.1

vSphere PowerCLI 5.x

vCSA prior to 5.5u1b
vCSA prior to 5.1u2a
vCSA prior to 5.0u3a

OVF Tool prior to 5.3.2

Update Manager prior to 5.5u1b

VDDK prior to 5.5.2
VDDK prior to 5.1.3
VDDK prior to 5.0.4

NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
NVP 3.0.x prior to 3.2.3
NSX 6.0.x for vSphere prior to 6.0.5

vFabric Web Server 5.x       
Pivotal Web Server prior to 5.4.1

vCenter Site Recovery Manager prior to 5.5.1.1
vCenter Site Recovery Manager  prior to 5.1.2.1
vCenter Site Recovery Manager  prior to 5.0.3.2

vSphere Replication prior to 5.8
vSphere Replication prior to 5.5.1.1

vSphere SDK for Perl prior to 5.5 Update 2

vSphere Data Protection prior to 5.5.7

3. Problem Description
a. OpenSSL update for multiple products.

OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298,  CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues.  The most important of these issues is CVE-2014-0224.

CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration.

CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products.

CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients.

CVE-2014-0224 may affect products differently depending on whether  the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios.

MITIGATIONS

  • Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below).
  • Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below).     
  • Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network.


RECOMMENDATIONS

VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers.

VMware recommends customers consider applying patches to products listed in Table 2 & 3 as required.

Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available.

Table 1

Affected servers running a vulnerable version of OpenSSL 1.0.1.

VMware Product Running Replace with / 
Product Version on Apply Patch
==========
=====
=====
==================
ESXi 5.5 ESXi ESXi550-201406401-SG
Big Data Extensions 1.1 2.0.0
vCenter Charge Back Manager 2.6 2.6.0.1

Horizon Workspace Server

1.5.x horizon-nginx-rpm-1.5.0.0-1876270.x86_64.rpm
Horizon Workspace Server 1.8.x horizon-nginx-rpm-1.8.2.1820-1876338.x86_64.rpm

Horizon Mirage Edge Gateway

4.4.x 4.4.3
Horizon View 5.x 5.3.2
Horizon View Feature Pack 5.x 5.3 Feature Pack 3
NSX for Multi-Hypervisor 4.1.2

4.1.3

NSX for Multi-Hypervisor 4.0.3 4.0.4
NSX for vSphere 6.0.4 6.0.5
NVP 3.2.2 3.2.3
vCloud Networking and Security 5.5.2 5.5.2.1
vCloud Networking and Security 5.1.4 5.1.4.1
Pivotal Web Server 5.4 5.4.1
vFabric Web Server 5.3.4 Pivotal Web Server 5.4.1

Table 2

Affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over an untrusted network.

VMware Product Running Replace with / 
Product Version on Apply Patch
==========
=====
=====
==================
vCSA 5.5 5.5u1b
vCSA 5.1 5.1u2a
vCSA 5.0 5.0u3a
ESXi 5.1 ESXi ESXi510-201406401-SG
ESXi 5.0 ESXi ESXi500-201407401-SG
Workstation

10.x

any 10.0.3
Workstation 9.x any 9.0.4
Fusion 6.x OSX 6.0.4
Fusion 5.x OSX 5.0.5
Player 6.x any 6.0.3
Player 5.x any 5.0.4
vCenter Chargeback Manager 2.5.x 2.6.0.1
Horizon Workspace Client 1.x OSX 1.8.2
Horizon Workspace Client 1.x Windows 1.8.2
Horizon View Client 2.x Android 3.0
Horizon View Client 2.x IOS 3.0
Horizon View Client 2.x OSX 3.0
Horizon View Client 2.x Windows 3.0
Horizon View Client 2.x Windows
Store 
3.0
OVF Tool 3.5.1 3.5.2
OVF Tool 3.0.1 3.5.2
vCenter Operations Manager 5.8.x 5.8.2
vCenter Operations Manager 5.7.x 5.7.3
vCenter Support Assistant 5.5.1 5.5.1.1
vCD 5.5.1.x 5.5.1.2
vCD 5.1.x 5.1.3.1
vCenter Site Recovery Manager 5.5.x 5.5.1.1
vCenter Site Recovery Manager 5.1.x 5.1.2.1
vCenter Site Recovery Manager 5.0.3.x 5.0.3.2
vSphere Client  5.5 windows 5.5u1b
vSphere Client  5.1 windows 5.1u2a
vSphere Client  5.0 windows 5.0u3a

Table 3

The following table lists all affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over a trusted or isolated network.

VMware Product Running Replace with / 
Product Version on Apply Patch
==========
=====
=====
==================
vCenter Server 5.5 any 5.5u1b
vCenter Server 5.1 any 5.1u2a
vCenter Server 5.0 any 5.0u3a
Update Manager 5.5 windows 5.5u1b
vCenter ConfigurationManager (VCM) 5.6 5.7.2
ITBM Standard 1.0.1 1.1
ITBM Standard 1.0 1.1
Studio 2.6.0.0 patch pending
Usage Meter 3.3 3.3.1
vCenter Converter Standalone 5.5 5.5.2
vCenter Converter Standalone 5.1 5.1.1
vCloud Automation Center 6.0.x 6.0.1.2
VIX API 1.12 patch pending
vMA (Management Assistant) 5.5.0.1 patch pending
vSphere PowerCLI 5.x See VMware KB 2082132
vSphere Data Protection 5.5.6 5.5.7
vSphere Data Protection 5.1.11 patch pending
vSphere Replication 5.5.1 5.5.1.1
vSphere Replication 5.6 5.8
vSphere SDK for Perl 5.5 5.5 Update 2
VDDK 5.5.x 5.5.2
VDDK 5.1.x 5.1.3
VDDK 5.0.x 5.0.4
4. Solution

Big Data Extensions 2.0.0
Downloads and Documentation:
https://www.vmware.com/go/download-bde

ESXi 5.5, 5.1 and 5.0
Download:
https://www.vmware.com/patchmgr/findPatch.portal

Horizon Mirage Edge Gateway 4.4.3

Downloads and Documentation:
https://www.vmware.com/go/download-horizon-mirage

Horizon View Clients
Downloads and Documentation:
https://www.vmware.com/go/viewclients

vCD 5.5.1.2
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director

vCenter Server 5.5u1b, 5.1u2a and 5.0u3a
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

vCenter Operations Manager for View 1.6
Downloads and Documentation:
https://www.vmware.com/go/download-vcops-view

vCSA 5.5u1b, 5.1u2a and 5.0u3a
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

Update Manager 5.5u1b
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

VDDK 5.x
Downloads and Documentation:
https://www.vmware.com/support/developer/vddk

vCenter Configuration Manager (VCM) 5
Downloads and Documentation:
https://www.vmware.com/go/download_vcm

vCenter Operations Manager 5.8 and 5.7.3
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere-ops-mgr

OVF Tool 3.5.2
Download: 
https://www.vmware.com/support/developer/ovf/

vCenter Converter Standalone 5.5.2
Downloads and Documentation:
https://www.vmware.com/go/download-converter

Usage Manager 3.3
Downloads and Documentation:
https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter


Horizon View 5
Downloads and Documentation:
https://www.vmware.com/go/downloadview

Horizon View 5.3 Feature Pack 3
Downloads and Documentation:
https://www.vmware.com/go/downloadview

Horizon Workspace Server 1.5 and 1.8.x
Release Notes and download:
http://kb.vmware.com/kb/2082181

Workstation
https://www.vmware.com/go/downloadworkstation

Fusion
https://www.vmware.com/go/downloadfusion

VMware Player
https://www.vmware.com/go/downloadplayer

vCenter Server 5.1 Update 2a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1

vCenter Server 5.0 Update 3a
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_0

vCloud Networking and Security 5.5.2.1
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId=353&rPId=5255

vCloud Networking and Security 5.1.4.1
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId=285&rPId=5131

NSX for Multi-Hypervisor, NSX for vSphere and NVP
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx

vCD 5.5.1.2 and vCD 5.1.3.1
Download link:
https://www.vmware.com/go/download-vcd-ns

VMware vCenter Chargeback Manager
Download link:
https://www.vmware.com/go/download-chargeback

Converter Standalone 5.1.1
Download link:
https://www.vmware.com/go/download-converter

vCenter Support Assistant
Downloads:
https://www.vmware.com/go/download-vsphere

Pivotal Web Server 5.4.1
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541&productId=335&rPId=6214

vCloud Automation Center
Downloads:
https://www.vmware.com/go/download-vcac

vCenter Site Recovery Manager 5.5.1.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081861

vSphere Replication 5.8
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId=353

vSphere Replication 5.5.1.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2082666

vCenter Site Recovery Manager 5.1.2.1
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081860

vCenter Site Recovery Manager 5.0.3.2
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081859

ITBM Standard 1.1
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&productId=384&rPId=6384

Release Notes:
https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-notes.html

vSphere SDK for Perl  5.5 Update 2
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&rPId=6436

Release Notes:
https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-58-release-notes.html

vSphere Data Protection 5.5.7
Download:
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGroup=VDP55_7

Release Notes:
https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html

6. Change Log

2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10

2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12

2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

2014-06-24 VMSA-2014-0006.3
Updated security advisory in conjunction with the release ofHorizon View 5.3.2, Horizon View 5.3 Feature Pack 3, vCenter Configuration Manager 5.7.2, vCenter Converter Standalone 5.5.2, vCenter Operations Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

2014-07-01 VMSA-2014-0006.4
Updated security advisory in conjunction with the release of ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4, Horizon Workspace Server 1.5.x and 1.8.x updates, vCD  5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1, vCenter Chargeback Manager 2.6.0.1, vCloud Networking and Security 5.5.2.1 and 5.1.4.1,  NSX for Multi-Hypervisor 4.1.3, NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and NSX 6.0.5 for vSphere on 2014-07-01

2014-07-03 VMSA-2014-0006.5
Updated security advisory in conjunction with the release of Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support Assistant 5.5.1.1 on 2014-07-03

2014-07-08 VMSA-2014-0006.6
Updated security advisory in conjunction with the release of vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 on 2014-07-08

2014-07-10 VMSA-2014-0006.7
Updated security advisory in conjunction with the release of vCloud Automation Center 6.0.1.2 and vCenter Operations Manager 5.7.3 on 2014-07-10

2014-07-18 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17

2014-07-22 VMSA-2014-0006.9
Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22

2014-09-09 VMSA-2014-0006.10
Updated security advisory in conjunction with the release of patches for ITBM Standard 1.1, vSphere Replication 5.8 and vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric Application Director has been removed from the table above as it is not affected by this issue.

2014-10-09 VMSA-2014-0006.11
Updated security advisory in conjunction with the release of vSphere Data Protection 5.5.7 on 2014-10-09

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • fulldisclosure at seclists.org


E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
 
Twitter
https://twitter.com/VMwareSRC

Copyright 2014 VMware Inc.  All rights reserved.