This post is also available in: Italian

Heartbleed is a software bug in the open-source cryptography library OpenSSL, which allows an attacker to read the memory of a server or a client, allowing (with special forget packets) reading (small) portition of the victim client. This could expose to lost of some data and potentially also confidendial data.

Heartbleed.com has a detailed explanation of the issue, which is related to the “heartbeat” section of OpenSSL’s transport layer security (TSL) protocols and has been in the wild since March 2012 and affect all version from OpenSSL 1.0.1 through 1.0.1f.

You need to upgrade the OpenSSL binaries if you are implementing services with SSL but also you have to change your password (or you certificates) if you are using (of have used) affected services (see also The Heartbleed Hit List: The Passwords You Need to Change Right Now).

On the VMware side some services are affected and other no (it’s funny that old version are not affected, because those libraries where released in most of the 2012).

You can start from this post: VMware products and the Heartbleed OpenSSL issue, CVE-2014-0160 or with the VMware Knowledge Base article 2076225 that include the results of ongoing investigation into the Heartbleed OpenSSL issue. Of course all VMware products that were ship with OpenSSL 1.0.1 are affected by the issue and the main that is affect is ESXi 5.5 vulnerable to OpenSSL Heartbleed bug.

These VMware products that ship with OpenSSL 1.0.1 have been confirmed to be affected:

  • ESXi 5.5
  • vCenter Server 5.5
  • VMware Fusion 6.0.x
  • VMware vCloud Automation Center (vCAC) 5.1.x
  • VMware vCloud Automation Center (vCAC) 5.2.x
  • VMware Horizon Mirage 4.4.0
  • vFabric Web Server 5.0.x – 5.3.x (For remediation details, see the Security Advisory on Critical Updates to vFabric Web Server document.)

About the VMware Services and public cloud services, the post important aspect is that vCloud Hybrid Service is not affected by OpenSSL “Heartbleed bug”. This VMware Service was found to be affected and has been remediated:

These VMware Services were found to be unaffected:

  • Horizon DaaS
  • VMware vCloud Hybrid Service
  • VMware IT Business Management Suite
  • AirWatch MDM

Post edit

On Sat Apr, 19th VMware has released new version of vSphere ESXi patches and vCenter Server to fix this issue. For more information see Heartbleed Security Bug fixes for VMware.

New build version of vCenter 5.5 will be 1750795 (from 1623101 that was 5.5 U1) and new build version of ESXi 5.5 will be 1746018 (from 1623387 that was the latest version).

Andrea MauroAbout Andrea Mauro (2489 Posts)

Virtualization & Cloud Architect. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert (2010, 2011, 2012, 2013, 2014, 2015). PernixPro 2014. Dell TechCenter Rockstar 2014. MVP 2014. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.


Share