Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0492.5 Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" (2076225) 24 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ESXi vCenter Server VMware Fusion VMware vCloud Automation Center (vCAC) VMware Horizon Mirage vFabric Web Server VMware vCloud Networking and Security NSX-V NVP NSX-MH VMware Horizon View VMware Horizon View Client VMware Horizon Workspace VMware Horizon Workspace Client VMware OVF Tool VMware vCenter Converter Publisher: VMWare Operating System: VMware ESX Server Windows Android Apple iOS UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 CVE-2014-0076 Reference: ASB-2014.0042 ESB-2014.0457 Original Bulletin: http://kb.vmware.com/kb/2076225 Revision History: April 24 2014: Updated security advisory wording and clarified vCNS version numbering after customer feedback on 2014-04-22 April 22 2014: Updated security advisory in conjunction with the release of Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon Workspace Client 1.8.1, NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and Horizon View Clients 2.3.3, vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and 4.1.1, NVP 3.2.2, OVF Tool 3.5.1, vCloud Automation Center (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration Plug-In 5.5, vCloud Director 5.5.1.1 April 17 2014: Patches available for more products April 15 2014: Patches for some products are now available April 11 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2014-0004.7 Synopsis: VMware product updates address OpenSSL security vulnerabilities Issue date: 2014-04-14 Updated on: 2014-04-22 CVE numbers: CVE-2014-0076 and CVE-2014-0160 - - ----------------------------------------------------------------------- 1. Summary VMware product updates address OpenSSL security vulnerabilities. 2. Relevant Releases VMware vCenter Server 5.5 VMware vCenter Server 5.5 Update 1 ESXi 5.5 without patch ESXi550-201404020 ESXi 5.5 Update 1 without patch ESXi550-201404001 VMware Workstation 10.x prior to version 10.0.2 VMware Fusion 6.x prior to version 6.0.3 VMware Player 6.x prior to version 6.0.2 NSX for Multi-Hypervisor 4.0.x prior to 4.0.2 NSX for Multi-Hypervisor 4.1.x prior to 4.1.1 NSX 6.0.x for vSphere prior to 6.0.4 NVP 3.x prior to 3.2.2 Horizon Mirage Edge Gateway 4.4.x prior to 4.4.2 Horizon View 5.3 Feature Pack 1 Horizon View Client 2.1.x, 2.2.x and 2.3.x for Android and IOS Horizon View Client 2.3.x for Windows Horizon Workspace Server 1.0 Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0 -1736237.x86_64 Horizon Workspace Server 1.8.x prior to 1.8.1 Horizon Workspace Client 1.5.x Horizon Workspace Client 1.8 prior to 1.8.1 OVF Tool prior to 3.5.1 VMware vCloud Networking and Security (vCNS) 5.5.1 VMware vCloud Networking and Security (vCNS) 5.1.3 vCloud Automation Center (vCAC) 6.x vSphere Big Data Extensions 1.1 Client Integration Plug-In 5.5 vCloud Director 5.5 3. Problem Description a. Information Disclosure vulnerability in OpenSSL third party library The OpenSSL library is updated to version openssl-1.0.1g to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0076 and CVE-2014-0160 to these issues. CVE-2014-0160 is known as the Heartbleed issue. More information on this issue may be found in the reference section. To remediate the issue for products that have updated versions or patches available, perform these steps: * Deploy the VMware product update or product patches * Replace certificates per the product-specific documentation * Reset passwords per the product-specific documentation Section 4 lists product-specific references to installation instructions and certificate management documentation. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. Note: Products that are not affected by these issues have been documented in VMware Knowledge Base article 2076225. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server 5.5 any 5.5.0c vCenter Server 5.5 U1 any 5.5 Update 1a ESXi 5.5 ESXi ESXi550-201404420 ESXi 5.5 U1 ESXi ESXi550-201404401 Workstation 10.x any 10.0.2 or later Fusion 6.x OSX 6.0.3 or later Player 6.x any 6.0.2 or later NSX for Multi-Hypervisor 4.0.x 4.0.2 or later NSX for Multi-Hypervisor 4.1.x 4.1.1 or later NSX for vSphere 6.0.x 6.0.4 or later NVP 3.x 3.2.2 or later Horizon Mirage Edge Gateway 4.4.x 4.4.2 or later Horizon View Feature Pack * 5.3 FP 1 Feature Pack 2 or later Horizon View Client 2.1.x Android 2.3.3 or later Horizon View Client 2.2.x Android 2.3.3 or later Horizon View Client 2.3.x Android 2.3.3 or later Horizon View Client 2.1.x IOS 2.3.3 or later Horizon View Client 2.2.x IOS 2.3.3 or later Horizon View Client 2.3.x IOS 2.3.3 or later Horizon View Client 2.3.x Windows 2.3.3 or later Horizon Workspace Server 1.0 Horizon Workspace Server 1.5 and apply patch horizon-nginx -rpm-1.5.0.0- 1736237.x86_64 Horizon Workspace Server 1.5.x horizon-nginx -rpm-1.5.0.0- 1736237.x86_64 Horizon Workspace Server 1.8 1.8.1 or later ** see important note below Horizon Workspace Client 1.5.1 OSX 1.8.1 or later Horizon Workspace Client 1.5.2 OSX 1.8.1 or later Horizon Workspace Client 1.5.1 Windows 1.8.1 or later Horizon Workspace Client 1.5.2 Windows 1.8.1 or later Horizon Workspace Client 1.8 OSX 1.8.1 or later for Macintosh Horizon Workspace Client 1.8 Windows 1.8.1 or later for Window OVF Tool 3.5.0 3.5.1 vCloud Networking and Security 5.5.1 5.5.2 or later vCloud Networking and Security 5.1.3 5.1.4 or later vCloud Automation Center (vCAC) 6.x 6.0.1 + patch Big Data Extensions 1.1 1.1 Update Client Integration Plug-In *** 5.5 Windows CIP used with /Linux vSphere: vSphere 5.5.0c, vSphere 5.5 Update 1a CIP used with vCloud Director: vCD 5.5.1.1 CIP used with vCHS: see reference in section 4 Note: * VMware Horizon View 5.3 Feature Pack 1: Only the HTML Access component in the Remote Experience Agent is affected ** Administrators that have updated to Horizon Workspace Server 1.8.1 between 4/14/14 and 4/19/14 will need to update to the latest version listed in the table *** The Client Integration Plug-In installs the OVF Tool and is used with vCD, vCHS, and vSphere for browser OVF file upload 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 5.5.0c / vCenter Server 5.5 Update 1a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_5 Release Notes and Remediation Instructions: http://kb.vmware.com/kb/2076692 ESXi 5.5 / ESXi 5.5 Update 1 ---------------------------- Download: https://www.vmware.com/patchmgr/download.portal Release Notes and Remediation Instructions: http://kb.vmware.com/kb/2076665 Workstation 10.x ---------------------- https://www.vmware.com/go/downloadworkstation Fusion 6.x ------------------ https://www.vmware.com/go/downloadfusion VMware Player 6.x ------------------ https://www.vmware.com/go/downloadplayer NSX for Multi-Hypervisor, NSX for vSphere and NVP ------------------------------------------------- Remediation Instructions and Download, available under support: http://www.vmware.com/products/nsx Horizon Mirage Edge Gateway 4.4.2 --------------------------------- File: VMware.Horizon.Mirage.442.41428.zip md5sum: 3202f5c41a99422ad66355410c45e09e sha1sum: a37654ac31a1a305160d4bcf5081d2f3d7ea1c20 Release Notes, Remediation Instructions and Download: https://my.vmware.com/group/vmware/details?downloadGroup=MIRAGE-442&product Id=322&rPId=5435 Horizon View 5.3 Feature Pack 2 ------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2076796 Release Notes: https://www.vmware.com/support/view53/doc/horizon-view-53-feature-pack-2-re lease-notes.html Horizon View Client 2.3.3 for Android, IOS and Windows ------------------------------------------------------ Release Notes, Remediation Instructions and Download: http://kb.vmware.com/kb/2076796 Horizon Workspace Server 1.5 ---------------------------- File: horizon-nginx-rpm-1.5.0.0-1736237.x86_64.rpm md5sum: bc4cc609f926701cac2b199f895ab16d sha1sum: fa456e042698a2cb19077fbd2199d948532af0c8 Release Notes and Download: http://kb.vmware.com/kb/2076551 Horizon Workspace Server 1.8.1 ---------------------------- Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=HZNWS181 Release Notes : https://www.vmware.com/support/horizon_workspace/doc/hw_release_notes_181.h tml Horizon Workspace Client 1.8.1 ---------------------------- Download: https://my.vmware.com/web/vmware/details?productId=323&downloadGroup=HZNWS1 80 Release Notes and Remediation Instructions: http://kb.vmware.com/kb/2076783 OVF Tool 3.5.1 --------------- Download: https://www.vmware.com/support/developer/ovf/ vCloud Networking and Security 5.5.2 ------------------------------------ Download https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId =353&rPId=5255 Release Notes and Remediation Instructions https://www.vmware.com/support/vshield/doc/releasenotes_vshield_552.html Best practices for upgrading to VMware vCloud Networking and Security 5.5.2 http://kb.vmware.com/kb/2076534 vCloud Networking and Security 5.1.4 ------------------------------------ Download: https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId =285&rPId=5131 Release Notes and Remediation Instructions: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_514.html Best practices for upgrading to VMware vCloud Networking and Security 5.1.4 http://kb.vmware.com/kb/2076531 vCloud Automation Center (vCAC) 6.0.1 ----------------------------------- Release Notes, Remediation Instructions and Download: http://kb.vmware.com/kb/2076869 Big Data Extensions 1.1 Update ------------------------------ Download: https://my.vmware.com/web/vmware/details?downloadGroup=BDE_110_GA&productId =353&rPId=5257 Remediation Instructions: http://kb.vmware.com/kb/2076855 Client Integration Plug-In (CIP) -------------------------------- For vSphere 5.5: See vCenter Server 5.5.0c / vCenter Server 5.5 Update 1a in this section. For vCD 5.5: vCD 5.5.1.1 Release Notes and Remediation Instructions http://kb.vmware.com/kb/2076891 For vCHS: See http://blogs.vmware.com/vcloud/2014/04/ovf-upload-browser-plugin-vuln.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 VMware Knowledge Base article 2076225. http://kb.vmware.com/kb/2076225 The Heartbleed Bug http://heartbleed.com/ - - ----------------------------------------------------------------------- 6. Change Log 2014-04-14 VMSA-2014-0004 Initial security advisory in conjunction with the release of Horizon Workspace Server 1.8 and 1.5 updates on 2014-04-14 2014-04-15 VMSA-2014-0004.1 Updated security advisory in conjunction with the release of Horizon Mirage Edge Gateway 4.4.2 patch on 2014-04-15 2014-04-16 VMSA-2014-0004.2 Updated security advisory in conjunction with the release of vCloud Networking and Security 5.5.2 and 5.1.4 on 2014-04-16 2014-04-17 VMSA-2014-0004.3 Updated security advisory in conjunction with the release of Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon Workspace Client 1.8.1 on 2014-04-17 2014-04-18 VMSA-2014-0004.4 Updated security advisory in conjunction with the release of NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and Horizon View Clients 2.3.3 on 2014-04-18 2014-04-19 VMSA-2014-0004.5 Updated security advisory in conjunction with the release of vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and 4.1.1, NVP 3.2.2, OVF Tool 3.5.1, vCloud Automation Center (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration Plug-In 5.5 on 2014-04-19 2014-04-20 VMSA-2014-0004.6 Updated security advisory in conjunction with the release of vCloud Director 5.5.1.1 on 2014-04-20 2014-04-22 VMSA-2014-0004.7 Updated security advisory wording and clarified vCNS version numbering after customer feedback on 2014-04-22 - - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved.. - -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFTV+AnDEcm8Vbi9kMRAqN7AJ4pDS5eXytH/nivP5Zz8P9CrglcIwCg6wm6 TWXSwoUrfh3n/FUnFJP5NJg= =aOWR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU1iIthLndAQH1ShLAQLbpBAApefbtOgQdRNmYfDMiM7Yh8g2opPZTpYK Hfmw89cueogF/ZAieAo3nSTvN9tMi1YpAql2kKV3qjxC2YK7gTNudY7biBU2S/p0 H3HE4YBJCsjSEqvA6k2Qlvz0wjngpkta2gB9bn1Y9f++9NvHmqde5lUk2a9GiBDb 3ACf21ou/sviyfDNsjb3K+k/mxqfwfg8xUVeVmYn77s+A5WnI9APdXy+oJ6MhHov sgjKGuNdaqDSaiD/vjI/klIwUAPNOmQK4Slje5nvZFJEJ1ml6WCJqcRGr0/8iCUD wypwHqEanV1b7IiS7R6+lDqGraWpMRrs/PWKdj0YN7jET99NWx8igE4iq9g8gBnr 4v+WYBhyAhyqaJqLwssk5j6XO6FA5ZRgdDN61woQX0u+pKkrDEZTFx+GOFVm24F1 dJPFnDG56mYgJ9l/t/haOqij0+GOO1E02ZA2akG2IngDkU6gEqWK3EZiyV2sWNZT OMIt+jFTicPxePB6QsKv3arvCZMh7X6BjITBQmvdp9n0JaEPesLgv0ftN0nV85P/ IProPa8pjdP/UpohgKbJAmdm7h2pnqVQPkzVzpQUf9P7DpqDuEcjNUuJvZNuIiB5 Ezcbg9BUELWh4rMJXG9TAocSEMW0X4NVKWVyJAsTLxiRr1o9lTKaIOPDvo8WoS+U HUlxyK8m5w8= =JH3L -----END PGP SIGNATURE-----