Security Response to CERT Alert TA04-078A: Installing OpenSSL Patch to Correct CERT Vulnerabilities in VMware GSX Server 2.5.1 (1256)
Is GSX Server 2.5.1 exposed to the OpenSSL denial of service vulnerabilities reported in the following advisories and alerts?
- OpenSSL Security Advisory [17 March 2004] (www.openssl.org/news/secadv_20040317.txt)
- CERT Technical Cyber Security Alert TA04-078A (www.us-cert.gov/cas/techalerts/TA04-078A.html)
- CAN-2004-0079 (cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079)
- CAN-2004-0112 (cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112)
- CAN-2004-0081 (cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081)
What is VMware's response?
Both the Linux and Windows versions of VMware GSX Server 2.5.1 Patch 1 build 5336, and all previous GSX Server 2.x.x releases make use of OpenSSL to provide SSL security for VMware Management Interface and VMware Remote Console sessions. On March 17, 2004, an OpenSSL Security Advisory was posted identifying SSL/TLS handshake vulnerabilities that could cause OpenSSL to crash. Such a crash would interrupt GSX Server management interface and remote console sessions.
GSX Server 2.5.1 Patch 1 build 5336 and all previous GSX Server 2.x.x releases use versions of OpenSSL which are subject to the vulnerabilities described in the links to the above advisories. VMware highly recommends you upgrade to version GSX Server 2.5.2, which uses OpenSSL version 0.9.7d. This version of OpenSSL has fixes for the above vulnerabilities.
If you are a VMware GSX Server customer with an active product support and subscription service, you can download GSX Server 2.5.2 from the download section of the VMware Web site. Go to www.vmware.com/download/ and look under Previous Versions.
VMware GSX Server 3.0.0 build 7592 uses a version of OpenSSL subject to the vulnerabilities linked above. See Knowledge Base article 1257 at www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1257 for instructions on applying the patch to that version.
VMware GSX Server 1.0.x does not use OpenSSL and is therefore not subject to the above vulnerabilities.