Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Remediation steps on critical updates to Horizon Workspace Server regarding CVE-­2014-­0160 Heartbleed vulnerability (2076551)

Symptoms

Horizon Workspace Server requires an update to resolve a security issue found in the OpenSSL 1.0.1 library.

Purpose

This article describes Horizon Workspace Server security updates of OpenSSL components.

The patch must be applied immediately to fix the critical security vulnerability reported in CVE-­2014-­0160. Details on this vulnerability can be found in VMware Security Advisory VMSA-2014-0004.

This advisory applies to these releases:
  • Horizon Workspace Server 1.5.x
  • Horizon Workspace Server 1.8.0

Resolution

The provided Horizon Workspace Server patch must be applied immediately to fix the critical security vulnerability reported in CVE-­2014­-0160.

This patch updates the OpenSSL library to version 1.0.1g.

Product Name Version Patch File Checksum
Horizon Workspace Server 1.5.x horizon-nginx-rpm-1.5.0.0-1736237.x86_64.rpm MD5 = bc4cc609f926701cac2b199f895ab16d
SHA1 = fa456e042698a2cb19077fbd2199d948532af0c8
Horizon Workspace Server 1.8.0 horizon-nginx-rpm-1.8.1.1810-1736201.x86_64.rpm MD5 = 06700c790119a4ac4780628f258f0983
SHA1 = 0c4186e56f7c08b4323d1004ea94251fb74812d5

Installation instructions

  1. Download the appropriate patch file for your Horizon Workspace Server version.
  2. Copy the patch file to all gateway-va machines in your Horizon Workspace vApp.
  3. Log in to a gateway-va machine as root.
  4. Run this command to install the required software: 

    rpm –U patch_file_name

  5. Restart the nginx service by running the command:

    /etc/rc.d/nginx restart

  6. Repeat steps 2 to 5 for all gateway-va machines in your Horizon Workspace vApp.

    Post installation steps

    After you have patched all your servers, review your system for what may have been compromised and take appropriate steps:

    If your Horizon Workspace FQDN SSL traffic is being terminated by gateway-va:
    1. Re-generate the SSL certificate. Contact your SSL certificate vendor for details.
    2. Install a new SSL certificate on gateway-va. For more information, see the Apply an SSL Certificate from a Major or Private Certificate Authority section in Installing and Configuring Horizon Workspace.
    3. Revoke the old SSL certificate. Contact your SSL certificate vendor for details.
    If your Horizon Workspace FQDN SSL traffic is being terminated by a third-party load balancer:
    1. Contact your load balancer vendor to determine steps necessary to address the OpenSSL vulnerability.
    2. Re-generate the gateway SSL certificate using these steps:

      1. Log in to the configurator-va machine as root.
      2. Run this command to generate the new certificate:

        /usr/local/horizon/lib/menu/secure/wizardssl.hzn --makesslcert gateway-va FQDN

      3. Run this command to install the new certificate:

        /usr/local/horizon/lib/menu/secure/wizardssl.hzn

    Note: If the problem persists after completing the steps in this article, file a support request with VMware Support and note this KB article ID (2076551) in the problem description. For more information, see Filing a Support Request in My VMware (2006985).

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 0 Ratings
Actions
KB: