VMware vSphere

Discovered today our Esxi 5.5 build 1331820 SSL is vulnerable to the openSSL bug reported today http://heartbleed.com

Can we expect a patch from VMware for this soon ?

thanks,

http://vmadmin.info

Good find, mate.

I found this as well for additional read.http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

What I am unsure is why are these folks publicly disclosing such a big vulnerability?

I am sure the VMware developers are aware of it. But below is the link where it can be reported,

Security Response Policy: VMware | United States

Thanks,

The vSphere 5.5 SSO could be affected as well, it uses OpenSSL 1.0.1e and this is one of the affected version. I couldn't find any reference of the vulnerability CVE-2014-0160 in the VMware website. Hope VMware is aware and a fix is on the way.

The vSphere 5.5 SSO could be affected as well, it uses OpenSSL 1.0.1e and this is one of the affected version. I couldn't find any reference of the vulnerability CVE-2014-0160 in the VMware website.

I tested a few of the available heartbleed scripts against Windows-based vCenter 5.5 and 5.1 on all ports the system is listening on (including Web Client 9443, Inventory 10443, SSO 7444 etc) but they were never reported being vulnerable. I suppose this is because the actual SSL traffic is handled in the Java application's own SSL stack instead of depending on openssl, which might only be used for certain operations such as certificate generation.

Many vendors already published information about their affected products, I hope VMware will release an official advisory soon too.

Thanks MKguy, I was thinking on a similar note, most likely SSO uses the keytool and this may not be affected. Will wait for official confirmation from VMware.

Our ESXi 5.5 Servers are flagged via NESSUS. How do you run the cmd line tool? thanks

Is this affecting vCenter 5.5 appliance also ? this appliance is Linux base and no windows at all .

The VC Appliance is not listed among the affected products. It's built on SLES 11 SP2, which uses an earlier version of the openssl library unaffected by the bug, as stated in the official Suse advisory http://support.novell.com/security/cve/CVE-2014-0160.html

Would be nice to see something official by VMware. So many OS-distributions already released a patch, so it shouldn't be that hard for VMware.

Some more information about effected components found so far

https://communities.vmware.com/message/2366769#2366769

For the latest on this issue, including lists of our products known to be affected, please see VMware KB: Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed".

I've collected external web and internal cmd line tool links to check if your SSL is vulnerable.

http://www.vmadmin.info/2014/04/esxi-55-vulnerable-to-openssl.html

Been hitting refresh on the KB link...

Still no ETA on the ESXi patch?

Is there anyway to downgrade openssl to the older version?

Do we know if the future openssl patch is gong to require a reboot?

Thanks,

Brian

The only supported way of "downgrading" at the moment would be a painful migration from ESXi/vCenter 5.5 to 5.1.

The files are part of the esx-base VIB bundle, so it's safe to assume that you will need a host reboot after applying the patch.

MKguy wrote:

The only supported way of "downgrading" at the moment would be a painful migration from ESXi/vCenter 5.5 to 5.1.

The files are part of the esx-base VIB bundle, so it's safe to assume that you will need a host reboot after applying the patch.

This will be the first step. After you've patched your hosts, recreate the SSL certificates, then update the password(s) on the host.

It's not pretty but until you've done all three - there's no guarentee the host is secure from this vulnerability.

Openssl is an opensource software which  is widely used for implementing the transport layer security like SSL and TSL. Openssl provides a  cryptographic functions and lot of other functions. Almost two years ago ,there is new function injected to openssl version  1.0.1 which is called heartbeat. What the heartbeat  protocol does on openssl ? Heartbeat keep the secure connection alive for a bit.It keeps the session alive so it doesn’t get the connection taken down. Typically the SSL connections will be terminated immediately if there is no activity .

To Solve the issue of Heartbeat in OpenSSL in ESX please refer the URL given below

Heartbleed vulnerability on VMware ESXI 5.5 and Vcenter 5.5 | UnixArena

in the below given article complete detail of configuration steps are mentioned to resolve ESX heartbleed vulnerability

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Looks like there is now a patch according to the KB

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225

Testing it now

Ah - I jumped the gun - its still baking - ETA April 19 according to reports (happy Easter weekend)

Not sure why the ESXi patch will require a reboot - for Apache its just a restart.

Is this related to how vmware patches are packaged (SSL is bundled with the kernel ?)

Can we get patching ESXi yet?

Here is the patch:

VMware KB: VMware ESXi 5.5, Patch ESXi-5.5.0-20140404001-no-tools

Summaries and Symptoms

This patch resolves the following issues:

• PR1227131: The OpenSSL version is updated to 1.0.1g to address the Heartbleed vulnerability.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-0160 to this issue. For further details on remediation steps for ESXi 5.5, see KB 2076665.
  
  Note: To completely  resolve this issue, you also need to replace certificates and change passwords. For more information, seeResolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160 (2076665).

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Applied - no reboot required

Confirmed the vulnerability is removed by this patch - folks should also cycle keys and update passwords

thanks and Happy Easter

Reboot IS required to make sure you use the new openSSL version, after reboot create new SSL cert and change passwords!

Reboot is the cleanest if you can afford it.

But using the python script command line tool I observed the vulnerability was removed post patch.

After updating keys

cd /etc/vmware/ssl
/sbin/generate-certificates
chmod +t rui.crt
chmod +t rui.key
passwd root

Shouldn't a service restart be sufficient?

/etc/init.d/hostd restart
/etc/init.d/vpxa restart

To avoid the prolonged reboot procedure?

>>

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Applied - no reboot required

>>

The reboot is required. Both KB's 2076586 and KB 2076120 mention that a reboot is required after patching ESX. Could you please point to any documentation or observation which says that no reboot required?

Obviously just reboot, if you can afford it.

I observed via the heartbleed python script it was cleared (I'm referring to to the https API)

Has anyone experienced this when trying to generate new SSL certs per the knowledge base article?

/sbin/generate-certificates

WARNING: can't open config file: /usr/ssl/openssl.cnf

Yes, same here looking into it & your post was the first I found relating to ESXi - did you find a workaround?

Hey

Not sure if this helps but I created a ssl folder under /usr and then I used vi to create a blank openssl.cnf file saved it in /usr/ssl/ and reran generate-certificates and it allowed me to create new certificates.  Make sure you restart the host afterwards.

http://www.vmware.com/security/advisories/VMSA-2014-0004.html

This may help you

New valuable content for this issue was published:

Posted on April 25, 2014 by Rick Blythe:
Patching ESXi 5.5 for Heartbleed without installing Update 1 | VMware Support Insider - VMware Blogs