-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.0492.5
                    Response to OpenSSL security issue
         CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" (2076225)
                               24 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ESXi
                   vCenter Server
                   VMware Fusion
                   VMware vCloud Automation Center (vCAC)
                   VMware Horizon Mirage
                   vFabric Web Server
                   VMware vCloud Networking and Security
                   NSX-V
                   NVP
                   NSX-MH
                   VMware Horizon View
                   VMware Horizon View Client
                   VMware Horizon Workspace
                   VMware Horizon Workspace Client
                   VMware OVF Tool
                   VMware vCenter Converter
Publisher:         VMWare
Operating System:  VMware ESX Server
                   Windows
                   Android
                   Apple iOS
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0160 CVE-2014-0076 

Reference:         ASB-2014.0042
                   ESB-2014.0457

Original Bulletin: 
   http://kb.vmware.com/kb/2076225

Revision History:  April 24 2014: Updated security advisory wording and clarified vCNS version numbering after customer feedback on 2014-04-22
                   April 22 2014: Updated security advisory in conjunction with the release of Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon Workspace Client 1.8.1,  NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and Horizon View Clients 2.3.3, vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and 4.1.1, NVP 3.2.2, OVF Tool 3.5.1, vCloud Automation Center (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration Plug-In 5.5, vCloud Director 5.5.1.1
                   April 17 2014: Patches available for more products
                   April 15 2014: Patches for some products are now available
                   April 11 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0004.7
Synopsis:    VMware product updates address OpenSSL security
vulnerabilities
Issue date:  2014-04-14
Updated on:  2014-04-22
CVE numbers: CVE-2014-0076 and CVE-2014-0160
- - -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   VMware vCenter Server 5.5
   VMware vCenter Server 5.5 Update 1

   ESXi 5.5 without patch ESXi550-201404020
   ESXi 5.5 Update 1 without patch ESXi550-201404001

   VMware Workstation 10.x prior to version 10.0.2

   VMware Fusion 6.x prior to version 6.0.3

   VMware Player 6.x prior to version 6.0.2

   NSX for Multi-Hypervisor 4.0.x prior to 4.0.2
   NSX for Multi-Hypervisor 4.1.x prior to 4.1.1
   NSX 6.0.x for vSphere prior to 6.0.4
   NVP 3.x prior to 3.2.2

   Horizon Mirage Edge Gateway 4.4.x prior to 4.4.2

   Horizon View 5.3 Feature Pack 1 
   Horizon View Client 2.1.x, 2.2.x and 2.3.x for Android and IOS
   Horizon View Client 2.3.x for Windows

   Horizon Workspace Server 1.0
   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0
                                                -1736237.x86_64
   Horizon Workspace Server 1.8.x prior to 1.8.1

   Horizon Workspace Client 1.5.x
   Horizon Workspace Client 1.8 prior to 1.8.1

   OVF Tool prior to 3.5.1

   VMware vCloud Networking and Security (vCNS) 5.5.1
   VMware vCloud Networking and Security (vCNS) 5.1.3

   vCloud Automation Center (vCAC) 6.x
 
   vSphere Big Data Extensions 1.1

   Client Integration Plug-In 5.5

   vCloud Director 5.5

3. Problem Description

   a. Information Disclosure vulnerability in OpenSSL third party library

      The OpenSSL library is updated to version openssl-1.0.1g to 
      resolve multiple security issues.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org) has
      assigned the names CVE-2014-0076 and CVE-2014-0160 to these issues.

      CVE-2014-0160 is known as the Heartbleed issue. More information
      on this issue may be found in the reference section.

      To remediate the issue for products that have updated versions or 
      patches available, perform these steps: 

        * Deploy the VMware product update or product patches
        * Replace certificates per the product-specific documentation
        * Reset passwords per the product-specific documentation

      Section 4 lists product-specific references to installation 
      instructions and certificate management documentation.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Note: Products that are not affected by these issues have been 
      documented in VMware Knowledge Base article 2076225.

      VMware                          Product  Running   Replace with/
      Product                         Version  on        Apply Patch 
      ==============                  =======  =======   =============
      vCenter Server                  5.5      any       5.5.0c
      vCenter Server                  5.5 U1   any       5.5 Update 1a
      ESXi                            5.5      ESXi      ESXi550-201404420
      ESXi                            5.5 U1   ESXi      ESXi550-201404401
      Workstation                     10.x     any       10.0.2 or later
      Fusion                          6.x      OSX       6.0.3 or later
      Player                          6.x      any       6.0.2 or later

      NSX for Multi-Hypervisor        4.0.x              4.0.2 or later
      NSX for Multi-Hypervisor        4.1.x              4.1.1 or later
      NSX for vSphere                 6.0.x              6.0.4 or later
      NVP                             3.x                3.2.2 or later
      Horizon Mirage Edge Gateway     4.4.x              4.4.2 or later
      Horizon View Feature Pack *     5.3 FP 1           Feature Pack 2
                                                         or later
      Horizon View Client             2.1.x    Android   2.3.3 or later 
      Horizon View Client             2.2.x    Android   2.3.3 or later 
      Horizon View Client             2.3.x    Android   2.3.3 or later 
      Horizon View Client             2.1.x    IOS       2.3.3 or later 
      Horizon View Client             2.2.x    IOS       2.3.3 or later 
      Horizon View Client             2.3.x    IOS       2.3.3 or later 
      Horizon View Client             2.3.x    Windows   2.3.3 or later 

      Horizon Workspace Server        1.0                Horizon 
                                                         Workspace 
                                                         Server 1.5
                                                         and apply patch
                                                         horizon-nginx
                                                         -rpm-1.5.0.0-
                                                         1736237.x86_64

      Horizon Workspace Server        1.5.x              horizon-nginx
                                                         -rpm-1.5.0.0-
                                                         1736237.x86_64
      Horizon Workspace Server        1.8                1.8.1 or later **
                                                         see important note
                                                         below

      Horizon Workspace Client        1.5.1    OSX       1.8.1 or later
      Horizon Workspace Client        1.5.2    OSX       1.8.1 or later
      Horizon Workspace Client        1.5.1    Windows   1.8.1 or later
      Horizon Workspace Client        1.5.2    Windows   1.8.1 or later
      Horizon Workspace Client        1.8      OSX       1.8.1 or later
      for Macintosh 
      Horizon Workspace Client        1.8      Windows   1.8.1 or later
      for Window     
      OVF Tool                        3.5.0              3.5.1
      vCloud Networking and Security  5.5.1              5.5.2 or later
      vCloud Networking and Security  5.1.3              5.1.4 or later
      vCloud Automation Center (vCAC) 6.x                6.0.1 + patch 
      Big Data Extensions             1.1                1.1 Update
      Client Integration Plug-In ***  5.5      Windows   CIP used with
                                               /Linux    vSphere: vSphere
                                                         5.5.0c, 
                                                         vSphere 5.5 Update
                                                         1a
                                                         CIP used with
                                                         vCloud Director:
                                                         vCD 5.5.1.1
                                                         CIP used with 
                                                         vCHS: see
                                                         reference in 
                                                         section 4
   Note: 
   
   *   VMware Horizon View 5.3 Feature Pack 1: Only the HTML Access 
       component in the Remote Experience Agent is affected

   **  Administrators that have updated to Horizon Workspace Server 1.8.1 
       between 4/14/14 and 4/19/14 will need to update to the latest
version
       listed in the table
  
   *** The Client Integration Plug-In installs the OVF Tool and is used
with
       vCD, vCHS, and vSphere for browser OVF file upload

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file. 

   vCenter Server 5.5.0c /  vCenter Server 5.5 Update 1a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_5 

   Release Notes and Remediation Instructions:
   http://kb.vmware.com/kb/2076692

   ESXi 5.5 / ESXi 5.5 Update 1
   ---------------------------- 
   Download:
   https://www.vmware.com/patchmgr/download.portal

   Release Notes and Remediation Instructions:
   http://kb.vmware.com/kb/2076665

   Workstation 10.x
   ---------------------- 
   https://www.vmware.com/go/downloadworkstation

   Fusion 6.x 
   ------------------ 
   https://www.vmware.com/go/downloadfusion

   VMware Player 6.x 
   ------------------ 
   https://www.vmware.com/go/downloadplayer 

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   Horizon Mirage Edge Gateway 4.4.2
   ---------------------------------
   File: VMware.Horizon.Mirage.442.41428.zip
   md5sum: 3202f5c41a99422ad66355410c45e09e 
   sha1sum: a37654ac31a1a305160d4bcf5081d2f3d7ea1c20
   
   Release Notes, Remediation Instructions and Download: 
  
https://my.vmware.com/group/vmware/details?downloadGroup=MIRAGE-442&product
Id=322&rPId=5435

   Horizon View 5.3 Feature Pack 2
   -------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2076796

   Release Notes:
  
https://www.vmware.com/support/view53/doc/horizon-view-53-feature-pack-2-re
lease-notes.html
 
   Horizon View Client 2.3.3 for Android, IOS and Windows
   ------------------------------------------------------
   Release Notes, Remediation Instructions and Download:
   http://kb.vmware.com/kb/2076796

   Horizon Workspace Server 1.5
   ----------------------------
   File: horizon-nginx-rpm-1.5.0.0-1736237.x86_64.rpm
   md5sum: bc4cc609f926701cac2b199f895ab16d
   sha1sum: fa456e042698a2cb19077fbd2199d948532af0c8

   Release Notes and Download: 
   http://kb.vmware.com/kb/2076551

   Horizon Workspace Server 1.8.1
   ----------------------------
   Download: 
   https://my.vmware.com/group/vmware/get-download?downloadGroup=HZNWS181

   Release Notes : 
     
https://www.vmware.com/support/horizon_workspace/doc/hw_release_notes_181.h
tml

   Horizon Workspace Client 1.8.1
   ----------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?productId=323&downloadGroup=HZNWS1
80
  
   Release Notes and Remediation Instructions: 
   http://kb.vmware.com/kb/2076783

   OVF Tool 3.5.1 
   ---------------
   Download:
   https://www.vmware.com/support/developer/ovf/

   vCloud Networking and Security 5.5.2
   ------------------------------------
   Download
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   Release Notes and Remediation Instructions
   https://www.vmware.com/support/vshield/doc/releasenotes_vshield_552.html

   Best practices for upgrading to VMware vCloud Networking and Security
5.5.2
   http://kb.vmware.com/kb/2076534

   vCloud Networking and Security 5.1.4
   ------------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   Release Notes and Remediation Instructions:
   https://www.vmware.com/support/vshield/doc/releasenotes_vshield_514.html

   Best practices for upgrading to VMware vCloud Networking and Security
5.1.4
   http://kb.vmware.com/kb/2076531

   vCloud Automation Center (vCAC) 6.0.1
   -----------------------------------
   Release Notes, Remediation Instructions and Download: 
   http://kb.vmware.com/kb/2076869

    Big Data Extensions 1.1 Update
   ------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=BDE_110_GA&productId
=353&rPId=5257

   Remediation Instructions:
   http://kb.vmware.com/kb/2076855

   Client Integration Plug-In (CIP)
   --------------------------------
   For vSphere 5.5: See vCenter Server 5.5.0c / vCenter Server 5.5 
   Update 1a in this section.

   For vCD 5.5: vCD 5.5.1.1
   Release Notes and Remediation Instructions
   http://kb.vmware.com/kb/2076891

   For vCHS: See
http://blogs.vmware.com/vcloud/2014/04/ovf-upload-browser-plugin-vuln.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

   VMware Knowledge Base article 2076225. 
   http://kb.vmware.com/kb/2076225
 
   The Heartbleed Bug
   http://heartbleed.com/

- - -----------------------------------------------------------------------

6. Change Log

   2014-04-14 VMSA-2014-0004
   Initial security advisory in conjunction with the release of
   Horizon Workspace Server 1.8 and 1.5 updates on 2014-04-14

   2014-04-15 VMSA-2014-0004.1
   Updated security advisory in conjunction with the release of 
   Horizon Mirage Edge Gateway 4.4.2 patch on 2014-04-15

   2014-04-16 VMSA-2014-0004.2
   Updated security advisory in conjunction with the release of    
   vCloud Networking and Security 5.5.2 and 5.1.4 on 2014-04-16

   2014-04-17 VMSA-2014-0004.3
   Updated security advisory in conjunction with the release of 
   Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon
   Workspace Client 1.8.1 on 2014-04-17

   2014-04-18 VMSA-2014-0004.4
   Updated security advisory in conjunction with the release of 
   NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and
   Horizon View Clients 2.3.3 on 2014-04-18

   2014-04-19 VMSA-2014-0004.5
   Updated security advisory in conjunction with the release of 
   vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, 
   Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and
   4.1.1, NVP 3.2.2, OVF Tool 3.5.1, vCloud Automation Center 
   (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration
   Plug-In 5.5 on 2014-04-19

   2014-04-20 VMSA-2014-0004.6
   Updated security advisory in conjunction with the release of vCloud
   Director 5.5.1.1 on 2014-04-20

   2014-04-22 VMSA-2014-0004.7
   Updated security advisory wording and clarified vCNS version
   numbering after customer feedback on 2014-04-22

- - -----------------------------------------------------------------------
 
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   * security-announce at lists.vmware.com
   * bugtraq at securityfocus.com
   * fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved..

- -----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTV+AnDEcm8Vbi9kMRAqN7AJ4pDS5eXytH/nivP5Zz8P9CrglcIwCg6wm6
TWXSwoUrfh3n/FUnFJP5NJg=
=aOWR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU1iIthLndAQH1ShLAQLbpBAApefbtOgQdRNmYfDMiM7Yh8g2opPZTpYK
Hfmw89cueogF/ZAieAo3nSTvN9tMi1YpAql2kKV3qjxC2YK7gTNudY7biBU2S/p0
H3HE4YBJCsjSEqvA6k2Qlvz0wjngpkta2gB9bn1Y9f++9NvHmqde5lUk2a9GiBDb
3ACf21ou/sviyfDNsjb3K+k/mxqfwfg8xUVeVmYn77s+A5WnI9APdXy+oJ6MhHov
sgjKGuNdaqDSaiD/vjI/klIwUAPNOmQK4Slje5nvZFJEJ1ml6WCJqcRGr0/8iCUD
wypwHqEanV1b7IiS7R6+lDqGraWpMRrs/PWKdj0YN7jET99NWx8igE4iq9g8gBnr
4v+WYBhyAhyqaJqLwssk5j6XO6FA5ZRgdDN61woQX0u+pKkrDEZTFx+GOFVm24F1
dJPFnDG56mYgJ9l/t/haOqij0+GOO1E02ZA2akG2IngDkU6gEqWK3EZiyV2sWNZT
OMIt+jFTicPxePB6QsKv3arvCZMh7X6BjITBQmvdp9n0JaEPesLgv0ftN0nV85P/
IProPa8pjdP/UpohgKbJAmdm7h2pnqVQPkzVzpQUf9P7DpqDuEcjNUuJvZNuIiB5
Ezcbg9BUELWh4rMJXG9TAocSEMW0X4NVKWVyJAsTLxiRr1o9lTKaIOPDvo8WoS+U
HUlxyK8m5w8=
=JH3L
-----END PGP SIGNATURE-----