[Security-announce] UPDATE: VMware Security Advisory VMSA-2014-0004.7 (Heartbleed - CVE-2014-0160)

VMware Security Announcements security-announce at lists.vmware.com
Wed Apr 23 08:47:27 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0004.7
Synopsis:    VMware product updates address OpenSSL security
vulnerabilities
Issue date:  2014-04-14
Updated on:  2014-04-22
CVE numbers: CVE-2014-0076 and CVE-2014-0160
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   VMware vCenter Server 5.5
   VMware vCenter Server 5.5 Update 1

   ESXi 5.5 without patch ESXi550-201404020
   ESXi 5.5 Update 1 without patch ESXi550-201404001

   VMware Workstation 10.x prior to version 10.0.2

   VMware Fusion 6.x prior to version 6.0.3

   VMware Player 6.x prior to version 6.0.2

   NSX for Multi-Hypervisor 4.0.x prior to 4.0.2
   NSX for Multi-Hypervisor 4.1.x prior to 4.1.1
   NSX 6.0.x for vSphere prior to 6.0.4
   NVP 3.x prior to 3.2.2

   Horizon Mirage Edge Gateway 4.4.x prior to 4.4.2

   Horizon View 5.3 Feature Pack 1 
   Horizon View Client 2.1.x, 2.2.x and 2.3.x for Android and IOS
   Horizon View Client 2.3.x for Windows

   Horizon Workspace Server 1.0
   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0
                                                -1736237.x86_64
   Horizon Workspace Server 1.8.x prior to 1.8.1

   Horizon Workspace Client 1.5.x
   Horizon Workspace Client 1.8 prior to 1.8.1

   OVF Tool prior to 3.5.1

   VMware vCloud Networking and Security (vCNS) 5.5.1
   VMware vCloud Networking and Security (vCNS) 5.1.3

   vCloud Automation Center (vCAC) 6.x
 
   vSphere Big Data Extensions 1.1

   Client Integration Plug-In 5.5

   vCloud Director 5.5

3. Problem Description

   a. Information Disclosure vulnerability in OpenSSL third party library

      The OpenSSL library is updated to version openssl-1.0.1g to 
      resolve multiple security issues.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org) has
      assigned the names CVE-2014-0076 and CVE-2014-0160 to these issues.

      CVE-2014-0160 is known as the Heartbleed issue. More information
      on this issue may be found in the reference section.

      To remediate the issue for products that have updated versions or 
      patches available, perform these steps: 

        * Deploy the VMware product update or product patches
        * Replace certificates per the product-specific documentation
        * Reset passwords per the product-specific documentation

      Section 4 lists product-specific references to installation 
      instructions and certificate management documentation.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Note: Products that are not affected by these issues have been 
      documented in VMware Knowledge Base article 2076225.

      VMware                          Product  Running   Replace with/
      Product                         Version  on        Apply Patch 
      ==============                  =======  =======   =============
      vCenter Server                  5.5      any       5.5.0c
      vCenter Server                  5.5 U1   any       5.5 Update 1a
      ESXi                            5.5      ESXi      ESXi550-201404420
      ESXi                            5.5 U1   ESXi      ESXi550-201404401
      Workstation                     10.x     any       10.0.2 or later
      Fusion                          6.x      OSX       6.0.3 or later
      Player                          6.x      any       6.0.2 or later

      NSX for Multi-Hypervisor        4.0.x              4.0.2 or later
      NSX for Multi-Hypervisor        4.1.x              4.1.1 or later
      NSX for vSphere                 6.0.x              6.0.4 or later
      NVP                             3.x                3.2.2 or later
      Horizon Mirage Edge Gateway     4.4.x              4.4.2 or later
      Horizon View Feature Pack *     5.3 FP 1           Feature Pack 2
                                                         or later
      Horizon View Client             2.1.x    Android   2.3.3 or later 
      Horizon View Client             2.2.x    Android   2.3.3 or later 
      Horizon View Client             2.3.x    Android   2.3.3 or later 
      Horizon View Client             2.1.x    IOS       2.3.3 or later 
      Horizon View Client             2.2.x    IOS       2.3.3 or later 
      Horizon View Client             2.3.x    IOS       2.3.3 or later 
      Horizon View Client             2.3.x    Windows   2.3.3 or later 

      Horizon Workspace Server        1.0                Horizon 
                                                         Workspace 
                                                         Server 1.5
                                                         and apply patch
                                                         horizon-nginx
                                                         -rpm-1.5.0.0-
                                                         1736237.x86_64

      Horizon Workspace Server        1.5.x              horizon-nginx
                                                         -rpm-1.5.0.0-
                                                         1736237.x86_64
      Horizon Workspace Server        1.8                1.8.1 or later **
                                                         see important note
                                                         below

      Horizon Workspace Client        1.5.1    OSX       1.8.1 or later
      Horizon Workspace Client        1.5.2    OSX       1.8.1 or later
      Horizon Workspace Client        1.5.1    Windows   1.8.1 or later
      Horizon Workspace Client        1.5.2    Windows   1.8.1 or later
      Horizon Workspace Client        1.8      OSX       1.8.1 or later
      for Macintosh 
      Horizon Workspace Client        1.8      Windows   1.8.1 or later
      for Window     
      OVF Tool                        3.5.0              3.5.1
      vCloud Networking and Security  5.5.1              5.5.2 or later
      vCloud Networking and Security  5.1.3              5.1.4 or later
      vCloud Automation Center (vCAC) 6.x                6.0.1 + patch 
      Big Data Extensions             1.1                1.1 Update
      Client Integration Plug-In ***  5.5      Windows   CIP used with
                                               /Linux    vSphere: vSphere
                                                         5.5.0c, 
                                                         vSphere 5.5 Update
                                                         1a
                                                         CIP used with
                                                         vCloud Director:
                                                         vCD 5.5.1.1
                                                         CIP used with 
                                                         vCHS: see
                                                         reference in 
                                                         section 4
   Note: 
   
   *   VMware Horizon View 5.3 Feature Pack 1: Only the HTML Access 
       component in the Remote Experience Agent is affected

   **  Administrators that have updated to Horizon Workspace Server 1.8.1 
       between 4/14/14 and 4/19/14 will need to update to the latest
version
       listed in the table
  
   *** The Client Integration Plug-In installs the OVF Tool and is used
with
       vCD, vCHS, and vSphere for browser OVF file upload

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file. 

   vCenter Server 5.5.0c /  vCenter Server 5.5 Update 1a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_5 

   Release Notes and Remediation Instructions:
   http://kb.vmware.com/kb/2076692

   ESXi 5.5 / ESXi 5.5 Update 1
   ---------------------------- 
   Download:
   https://www.vmware.com/patchmgr/download.portal

   Release Notes and Remediation Instructions:
   http://kb.vmware.com/kb/2076665

   Workstation 10.x
   ---------------------- 
   https://www.vmware.com/go/downloadworkstation

   Fusion 6.x 
   ------------------ 
   https://www.vmware.com/go/downloadfusion

   VMware Player 6.x 
   ------------------ 
   https://www.vmware.com/go/downloadplayer 

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   Horizon Mirage Edge Gateway 4.4.2
   ---------------------------------
   File: VMware.Horizon.Mirage.442.41428.zip
   md5sum: 3202f5c41a99422ad66355410c45e09e 
   sha1sum: a37654ac31a1a305160d4bcf5081d2f3d7ea1c20
   
   Release Notes, Remediation Instructions and Download: 
  
https://my.vmware.com/group/vmware/details?downloadGroup=MIRAGE-442&product
Id=322&rPId=5435

   Horizon View 5.3 Feature Pack 2
   -------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2076796

   Release Notes:
  
https://www.vmware.com/support/view53/doc/horizon-view-53-feature-pack-2-re
lease-notes.html
 
   Horizon View Client 2.3.3 for Android, IOS and Windows
   ------------------------------------------------------
   Release Notes, Remediation Instructions and Download:
   http://kb.vmware.com/kb/2076796

   Horizon Workspace Server 1.5
   ----------------------------
   File: horizon-nginx-rpm-1.5.0.0-1736237.x86_64.rpm
   md5sum: bc4cc609f926701cac2b199f895ab16d
   sha1sum: fa456e042698a2cb19077fbd2199d948532af0c8

   Release Notes and Download: 
   http://kb.vmware.com/kb/2076551

   Horizon Workspace Server 1.8.1
   ----------------------------
   Download: 
   https://my.vmware.com/group/vmware/get-download?downloadGroup=HZNWS181

   Release Notes : 
     
https://www.vmware.com/support/horizon_workspace/doc/hw_release_notes_181.h
tml

   Horizon Workspace Client 1.8.1
   ----------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?productId=323&downloadGroup=HZNWS1
80
  
   Release Notes and Remediation Instructions: 
   http://kb.vmware.com/kb/2076783

   OVF Tool 3.5.1 
   ---------------
   Download:
   https://www.vmware.com/support/developer/ovf/

   vCloud Networking and Security 5.5.2
   ------------------------------------
   Download
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   Release Notes and Remediation Instructions
   https://www.vmware.com/support/vshield/doc/releasenotes_vshield_552.html

   Best practices for upgrading to VMware vCloud Networking and Security
5.5.2
   http://kb.vmware.com/kb/2076534

   vCloud Networking and Security 5.1.4
   ------------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   Release Notes and Remediation Instructions:
   https://www.vmware.com/support/vshield/doc/releasenotes_vshield_514.html

   Best practices for upgrading to VMware vCloud Networking and Security
5.1.4
   http://kb.vmware.com/kb/2076531

   vCloud Automation Center (vCAC) 6.0.1
   -----------------------------------
   Release Notes, Remediation Instructions and Download: 
   http://kb.vmware.com/kb/2076869

    Big Data Extensions 1.1 Update
   ------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=BDE_110_GA&productId
=353&rPId=5257

   Remediation Instructions:
   http://kb.vmware.com/kb/2076855

   Client Integration Plug-In (CIP)
   --------------------------------
   For vSphere 5.5: See vCenter Server 5.5.0c / vCenter Server 5.5 
   Update 1a in this section.

   For vCD 5.5: vCD 5.5.1.1
   Release Notes and Remediation Instructions
   http://kb.vmware.com/kb/2076891

   For vCHS: See
http://blogs.vmware.com/vcloud/2014/04/ovf-upload-browser-plugin-vuln.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

   VMware Knowledge Base article 2076225. 
   http://kb.vmware.com/kb/2076225
 
   The Heartbleed Bug
   http://heartbleed.com/

- -----------------------------------------------------------------------

6. Change Log

   2014-04-14 VMSA-2014-0004
   Initial security advisory in conjunction with the release of
   Horizon Workspace Server 1.8 and 1.5 updates on 2014-04-14

   2014-04-15 VMSA-2014-0004.1
   Updated security advisory in conjunction with the release of 
   Horizon Mirage Edge Gateway 4.4.2 patch on 2014-04-15

   2014-04-16 VMSA-2014-0004.2
   Updated security advisory in conjunction with the release of    
   vCloud Networking and Security 5.5.2 and 5.1.4 on 2014-04-16

   2014-04-17 VMSA-2014-0004.3
   Updated security advisory in conjunction with the release of 
   Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon
   Workspace Client 1.8.1 on 2014-04-17

   2014-04-18 VMSA-2014-0004.4
   Updated security advisory in conjunction with the release of 
   NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and
   Horizon View Clients 2.3.3 on 2014-04-18

   2014-04-19 VMSA-2014-0004.5
   Updated security advisory in conjunction with the release of 
   vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, 
   Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and
   4.1.1, NVP 3.2.2, OVF Tool 3.5.1, vCloud Automation Center 
   (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration
   Plug-In 5.5 on 2014-04-19

   2014-04-20 VMSA-2014-0004.6
   Updated security advisory in conjunction with the release of vCloud
   Director 5.5.1.1 on 2014-04-20

   2014-04-22 VMSA-2014-0004.7
   Updated security advisory wording and clarified vCNS version
   numbering after customer feedback on 2014-04-22

- -----------------------------------------------------------------------
 
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   * security-announce at lists.vmware.com
   * bugtraq at securityfocus.com
   * fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved..

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTV+AnDEcm8Vbi9kMRAqN7AJ4pDS5eXytH/nivP5Zz8P9CrglcIwCg6wm6
TWXSwoUrfh3n/FUnFJP5NJg=
=aOWR
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list