Loading...
Loading...
The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the OpenSSL issue dubbed "Heartbleed" (CVE-2014-0160, CVE-2014-0346). This article reflects the status of the ongoing investigation.
This is a response to the current situation with the software security vulnerability dubbed Heartbleed:The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation.VMware has released product updates and patches for all affected products in this article.Product releases that have an updated version or patches are currently listed in VMware Security Advisory VMSA-2014-0004.See the lists below for affected products, and refer to the Resolution/mitigation section for steps to protect your systems while more updates are being prepared. Resolution/mitigation To remediate the issue for products that have updated versions of patches available, perform these measures: Deploy the VMware product update or product patches that address CVE-2014-0160Replace certificates according to instructions in the product documentationReset passwords according to instructions in the product documentation Section 4 of VMware Security Advisory VMSA-2014-0004 lists product-specific references to installation instructions and certificate management documentation.Note: If you encounter an issue during the upgrade process, file a support request with VMware Technical Support and note the Knowledge Base article ID you are using in the problem description. For more information on filing a Support Request, see Filing a Support Request in Customer Connect (2006985).By deploying vSphere 5.5 (and other relevant VMware products) on an isolated management network, the exposure to CVE-2014-0160 is reduced. Hosting vSphere components directly on the Internet is strongly discouraged. Virtual machines that are exposed to the Internet should be updated in case they are affected. For the latter, refer to the instructions by the operating system provider. Affected VMware products These VMware products that ship with OpenSSL 1.0.1 have been confirmed to be affected: ESXi 5.5 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)NSX for Multi-Hypervisor Manager 4.0.x and 4.1.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)NSX 6.0.x for vSphere (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)NVP 3.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)vCenter Server 5.5 and 5.5 Update 1, including VMware Big Data Extensions 1.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)vFabric Web Server 5.0.x – 5.3.x (For remediation details, see the Security Advisory on Critical Updates to vFabric Web Server document.)VMware Client Integration Plug-In (CIP) version 5.5 (CIP installs the OVFTool and is used with vCD, vCloud Air, and vSphere for browser OVF file upload. For specific remediation details, see VMware Security Advisory VMSA-2014-0004 and http://blogs.vmware.com/vcloud/2014/04/ovf-upload-browser-plugin-vuln.html.)VMware Fusion 6.0.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Player 6.0.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Workstation 10.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Mirage Edge Gateway 4.4.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon View 5.3 Feature Pack 1 (affects only the VMware Horizon HTML Access component in the Remote Experience Agent, for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon View Client for Windows 2.3.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace 1.0 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace 1.5 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace 1.8 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004) Note: Administrators who updated to Horizon Workspace Server 1.8.1 between 4/14/2014 and 4/19/2014 must update to the latest version referenced in VMware Security Advisory VMSA-2014-0004. VMware Horizon Workspace Client for Macintosh 1.5.1 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace Client for Macintosh 1.5.2 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace Client for Windows 1.5.1 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace Client for Windows 1.5.2 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace for Macintosh 1.8 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware Horizon Workspace for Windows 1.8 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware OVF Tool 3.5.0 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware vRealize Automation (formerly known as vCloud Automation Center) 6.x (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware vCloud Networking and Security (vCNS) 5.1.3 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004)VMware vCloud Networking and Security (vCNS) 5.5.1 (for specific remediation details, see VMware Security Advisory VMSA-2014-0004) Unaffected VMware products This VMware product ships with OpenSSL 1.0.1, but it has been confirmed to use OpenSSL in a way that renders it not vulnerable to the OpenSSL Heartbleed issue: VMware vRealize Automation (formerly known as vCloud Automation Center) 5.x These VMware products that ship with OpenSSL 0.9.8 or 1.0.0 have been confirmed to be unaffected: ESXi/ESX 4.xESXi 5.0ESXi 5.1Virtual Disk Development Kit (VDDK)VIX APIVMware Client Integration Plug-In (CIP) version 5.1 and belowVMware vCloud ConnectorVMware vCloud Usage MeterVMware Data Recovery (VDR)VMware Fusion 5.xVMware Player 5.xVMware Workstation 9.xVMware Horizon Mirage 4.3.x and earlierVMware Horizon Mirage 4.4.x (except the Gateway component)VMware Horizon View 5.xVMware Horizon View 5.2 Feature Pack 1VMware Horizon View 5.2 Feature Pack 2VMware Horizon View 5.3 Feature Pack 1 (all components except the VMware Horizon HTML Access component in the Remote Experience Agent)VMware Horizon View Client for Android 1.x, 2.0.xVMware Horizon View Client for iOS 1.x, 2.0.xVMware Horizon View Client for Linux (all versions)VMware Horizon View Client for Mac (all versions)VMware Horizon View Client for Windows 2.1.x, 2.2.x, 5.xVMware Horizon View Client for Windows Store (all versions)VMware Horizon View Client for Windows with Local Mode Option 5.xVMware Horizon Workspace Client for Macintosh 1.0.0VMware Horizon Workspace Client for Macintosh 1.5.0VMware Horizon Workspace Client for Windows 1.0.0VMware Horizon Workspace Client for Windows 1.5.0VMware OVF tool 3.1.0 and belowVMware Service ManagerVMware ThinAppVMware Update Manager (VUM)VMware vCenter Certificate Automation ToolVMware vRealize Configuration Manager (formerly known as VMware vCenter Configuration Manager)VMware vCenter Multi-Hypervisor Manager 1.x for WindowsVMware vCenter Chargeback ManagerVMware vCenter Converter (P2V)VMware vRealize Infrastructure Navigator (formerly known as VMware vCenter Infrastructure Navigator)VMware vCenter Lab ManagerVMware vRealize Log Insight (formerly known as VMware vCenter Log Insight)VMware vRealize Operations Manager (formerly known as VMware vCenter Operations Manager)VMware vRealize Orchestrator (formerly known as VMware vCenter Orchestrator)VMware vCenter Server 4.xVMware vCenter Server 5.0VMware vCenter Server 5.1VMware vCenter Server Appliance (vCSA) 5.x Note: The version of the Client Integration Plug-In (CIP) used with vSphere Web Client 5.5 is affected (see above). The Client Integration Plug-In is part of of vCenter Server 5.5 and of vCenter Server Appliance 5.5. To remediate CIP 5.5, you must update vCenter Server 5.5 or vCenter Server Appliance 5.5 first. See VMware Security Advisory VMSA-2014-0004 to learn about the CIP 5.5 update. VMware vCenter Server HeartbeatVMware vCenter Site Recovery Manager (SRM)VMware vCenter Support AssistantVMware vRealize Application Services (formerly known as VMware vCloud Application Director)VMware vCloud Director (vCD) Note: The version of the Client Integration Plug-In (CIP) used with vCloud Director 5.5 is affected (see above). To remediate CIP 5.5, you must update vCloud Director 5.5 first. See VMware Security Advisory VMSA-2014-0004 to learn about the CIP 5.5 update. VMware vCloud Networking and Security (vCNS) 5.1.2 and belowVMware vCloud Networking and Security (vCNS) 5.5.0 and 5.5.0aVMware vFabric Data DirectorVMware vFabric PostgresVMware View 4.xVMware VirstoVMware vSphere ClientVMware vSphere Data Protection (vDP)VMware vSphere Management Assistant (vMA)VMware vSphere ReplicationVMware vSphere Storage Appliance (VSA) Affected Partner Products This product from a VMware partner ships with OpenSSL 1.0.1 and was found to be affected: vFabric GemFire Native Client 7.0.x (for specific remediation details, see Required Security Updates to Pivotal GemFire Native Client 7.0x and OpenSSL) Remediated VMware Services This VMware Service was found to be affected and has been remediated: Socialcast, service updated on 4/8/14 (For more information, see the Socialcast blog post, Socialcast Response to Heartbleed, aka CVE-2014-0160.) Unaffected VMware Services These VMware Services were found to be unaffected: Horizon DaaSVMware vCloud Air (For more information, see the vCloud Air blog post, vCloud Hybrid Service is not affected by OpenSSL “Heartbleed bug”.)VMware vRealize Business Advanced and Enterprise (formerly known as VMware IT Business Management Suite)AirWatch MDM Additional Information This article is updated as more information becomes available. To be alerted when this article is updated, click Subscribe to Document in the Actions box.For information on VMware Customer Portals and web sites that may be affected by this issue, see Impact of OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" on VMware Customer Portals and web sites (2076353). Pivotal Links Pivotal Web Server Knowledge Base
Impact of OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" on VMware Customer Portals and web sites响应 OpenSSL 安全问题 CVE-2014-0160/CVE-2014-0346,又称:“Heartbleed”OpenSSL のセキュリティ上の問題 CVE-2014-0160/CVE-2014-0346、通称「ハートブリード」への対応
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.