Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" (2076225)

Purpose

The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the OpenSSL issue dubbed "Heartbleed" (CVE-2014-0160, CVE-2014-0346).

This article reflects the status of the ongoing investigation.
 

Note: This article is applicable to these products:

o VMware Horizon DaaS Bundle (VDI/RDSH Edition)
o VMware Horizon Air
o VMware Horizon DaaS On Premise Platform

Resolution

This is a response to the current situation with the software security vulnerability dubbed Heartbleed:

The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation.

VMware has released product updates and patches for all affected products in this article.

Product releases that have an updated version or patches are currently listed in VMware Security Advisory VMSA-2014-0004.

See the lists below for affected products, and refer to the Resolution/mitigation section for steps to protect your systems while more updates are being prepared.

Resolution/mitigation

To remediate the issue for products that have updated versions of patches available, perform these measures:
  • Deploy the VMware product update or product patches that address CVE-2014-0160
  • Replace certificates according to instructions in the product documentation
  • Reset passwords according to instructions in the product documentation
Section 4 of VMware Security Advisory VMSA-2014-0004 lists product-specific references to installation instructions and certificate management documentation.

Note: If you encounter an issue during the upgrade process, file a support request with VMware Technical Support and note the Knowledge Base article ID you are using in the problem description. For more information on filing a Support Request, see Filing a Support Request in My VMware (2006985).

By deploying vSphere 5.5 (and other relevant VMware products) on an isolated management network, the exposure to CVE-2014-0160 is reduced. Hosting vSphere components directly on the Internet is strongly discouraged. Virtual machines that are exposed to the Internet should be updated in case they are affected. For the latter, refer to the instructions by the operating system provider.

Affected VMware products

These VMware products that ship with OpenSSL 1.0.1 have been confirmed to be affected:

Unaffected VMware products

This VMware product ships with OpenSSL 1.0.1, but it has been confirmed to use OpenSSL in a way that renders it not vulnerable to the OpenSSL Heartbleed issue:
  • VMware vRealize Automation (formerly known as vCloud Automation Center) 5.x
These VMware products that ship with OpenSSL 0.9.8 or 1.0.0 have been confirmed to be unaffected:
  • ESXi/ESX 4.x
  • ESXi 5.0
  • ESXi 5.1
  • Virtual Disk Development Kit (VDDK)
  • VIX API
  • VMware Client Integration Plug-In (CIP) version 5.1 and below
  • VMware vCloud Connector
  • VMware vCloud Usage Meter
  • VMware Data Recovery (VDR)
  • VMware Fusion 5.x
  • VMware Player 5.x
  • VMware Workstation 9.x
  • VMware Horizon Mirage 4.3.x and earlier
  • VMware Horizon Mirage 4.4.x (except the Gateway component)
  • VMware Horizon View 5.x
  • VMware Horizon View 5.2 Feature Pack 1
  • VMware Horizon View 5.2 Feature Pack 2
  • VMware Horizon View 5.3 Feature Pack 1 (all components except the HTML Access component in the Remote Experience Agent)
  • VMware Horizon View Client for Android 1.x, 2.0.x
  • VMware Horizon View Client for iOS 1.x, 2.0.x
  • VMware Horizon View Client for Linux (all versions)
  • VMware Horizon View Client for Mac (all versions)
  • VMware Horizon View Client for Windows 2.1.x, 2.2.x, 5.x
  • VMware Horizon View Client for Windows Store (all versions)
  • VMware Horizon View Client for Windows with Local Mode Option 5.x
  • VMware Horizon Workspace Client for Macintosh 1.0.0
  • VMware Horizon Workspace Client for Macintosh 1.5.0
  • VMware Horizon Workspace Client for Windows 1.0.0
  • VMware Horizon Workspace Client for Windows 1.5.0
  • VMware OVF tool 3.1.0 and below
  • VMware Service Manager
  • VMware ThinApp
  • VMware Update Manager (VUM)
  • VMware vCenter Certificate Automation Tool
  • VMware vRealize Configuration Manager (formerly known as VMware vCenter Configuration Manager)
  • VMware vCenter Multi-Hypervisor Manager 1.x for Windows
  • VMware vCenter Chargeback Manager
  • VMware vCenter Converter (P2V)
  • VMware vRealize Infrastructure Navigator (formerly known as VMware vCenter Infrastructure Navigator)
  • VMware vCenter Lab Manager
  • VMware vRealize Log Insight (formerly known as VMware vCenter Log Insight)
  • VMware vRealize Operations Manager (formerly known as VMware vCenter Operations Manager)
  • VMware vRealize Orchestrator (formerly known as VMware vCenter Orchestrator)
  • VMware vCenter Server 4.x
  • VMware vCenter Server 5.0
  • VMware vCenter Server 5.1
  • VMware vCenter Server Appliance (vCSA) 5.x

    Note: The version of the Client Integration Plug-In (CIP) used with vSphere Web Client 5.5 is affected (see above). The Client Integration Plug-In is part of of vCenter Server 5.5 and of vCenter Server Appliance 5.5. To remediate CIP 5.5, you must update vCenter Server 5.5 or vCenter Server Appliance 5.5 first. See VMware Security Advisory VMSA-2014-0004 to learn about the CIP 5.5 update.

  • VMware vCenter Server Heartbeat
  • VMware vCenter Site Recovery Manager (SRM)
  • VMware vCenter Support Assistant
  • VMware vRealize Application Services (formerly known as VMware vCloud Application Director)
  • VMware vCloud Director (vCD)

    Note: The version of the Client Integration Plug-In (CIP) used with vCloud Director 5.5 is affected (see above). To remediate CIP 5.5, you must update vCloud Director 5.5 first. See VMware Security Advisory VMSA-2014-0004 to learn about the CIP 5.5 update.

  • VMware vCloud Networking and Security (vCNS) 5.1.2 and below
  • VMware vCloud Networking and Security (vCNS) 5.5.0 and 5.5.0a
  • VMware vFabric Data Director
  • VMware vFabric Postgres
  • VMware View 4.x
  • VMware Virsto
  • VMware vSphere Client
  • VMware vSphere Data Protection (vDP)
  • VMware vSphere Management Assistant (vMA)
  • VMware vSphere Replication
  • VMware vSphere Storage Appliance (VSA)

Affected Partner Products

This product from a VMware partner ships with OpenSSL 1.0.1 and was found to be affected:

Remediated VMware Services

This VMware Service was found to be affected and has been remediated:

Unaffected VMware Services

These VMware Services were found to be unaffected:

Additional Information

This article is updated as more information becomes available. To be alerted when this article is updated, click Subscribe to Document in the Actions box.

For information on VMware Customer Portals and web sites that may be affected by this issue, see Impact of OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" on VMware Customer Portals and web sites (2076353).


Pivotal Links

See Also

Update History

04/09/2014 - Updated list of affected and unaffected products 04/10/2014 - Updated list of affected and unaffected products 04/10/2014 - Updated list of affected and unaffected products (2nd update) 04/11/2014 - Updated the Resolution/Mitigation section 04/11/2014 - Updated list of affected and unaffected products 04/12/2014 - Updated list of affected and unaffected products 04/13/2014 - Added statement on expected update releases 04/14/2014 - Updated list of affected and unaffected products 04/14/2014 - Updated list of affected and unaffected products and added information on VMware Security Advisory VMSA-2014-0004 04/15/2014 - Updated list of affected products 04/16/2014 - Updated list of affected products and added information on remediated VMware products 04/17/2014 - Updated list of affected and unaffected products and added information on remediated VMware products 04/18/2014 - Updated list of affected and unaffected products and added information on remediated VMware products 04/19/2014 - Updated list of affected and unaffected products and added information on remediated VMware products 04/19/2014 - Updated list of unaffected products and added a statement discussing progress on the remediation effort (2nd update) 04/20/2014 - Added information on remediated VMware products and updated statement on remediation effort progress 04/22/2014 - Updated list of affected and unaffected products and added an affected partner products section 04/23/2014 - Updated list of unaffected products 04/25/2014 - updated list of unaffected products

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1,031 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 1,031 Ratings
Actions
KB: