Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160 (2076665)
ESXi 5.5 and ESXi 5.5 Update1 hosts require an update to resolve the OpenSSL Heartbleed vulnerability found in the OpenSSL 1.0.1 library.
Apply this patch immediately to update OpenSSL library to fix the critical security vulnerability reported in CVE-2014-0160. Details on this vulnerability can be found in VMware Security AdvisoryVMSA-2014-0004.
For details on impact of OpenSSL Heartbleed vulnerability on VMware products and portals, see:
- Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" (2076225)
- Impact of OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" on VMware Customer Portals and web sites (2076353)
- It is recommended that you perform Remediation for vCenter Server 5.5 before you perform the steps recommended to remediate ESXi in the following section. See Resolving OpenSSL Heartbleed for vCenter Server 5.5 (2076692).
- Virtual SAN is not supported on ESXi 5.5 hosts upgraded with VMware ESXi 5.5, Patch Release ESXi550-201404020 as this does not include all bug fixes that were provided with ESXi 5.5 Update 1 including Virtual SAN GA fixes.
Two ESXi 5.5 patches have been released to update the OpenSSL library to version 1.0.1g. These updates do not impact the openssl.exe file:
- VMware ESXi 5.5, Patch Release ESXi550-201404001
Apply this patch on ESXi 5.5 hosts to resolve all issues fixed in ESXi 5.5 Update 1, and additionally the OpenSSL Heartbleed issue.
Patch bulletin ESXi550-201404401-SG contains the fix for OpenSSL Heartbleed and some other fixes.
ONLY ESXi 5.5 Update 1 hosts should be patched with this patch.
For more information about this patch release, see KB 2076120.
- VMware ESXi 5.5, Patch Release ESXi550-201404020
Do not apply this patch to ESXi 5.5 Update 1 hosts. Apply the patch to the following ESXi hosts only:
- ESXi 5.5.0 hosts
- ESXi 5.5.0 hosts patched with ESXi550-201312101-SG bulletin
- ESXi 5.5.0 hosts patched with ESXi550-201312401-BG bulletin
- ESXi 5.5.0 hosts patched with ESXi550-201403101-SG bulletin
- ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131201001s-standard image profile
- ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131201001s-no-tools image profile
- ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131204001-standard image profile
- ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131204001-no-tools image profile
- ESXi 5.5.0 hosts patched with ESXi-5.5.0-20140301001s-standard image profile
- ESXi 5.5.0 hosts patched with ESXi-5.5.0-20140301001s-no-tools image profile
After applying VMware ESXi 5.5, Patch Release ESXi550-201404020 on ESXi 5.5 hosts, only patch your systems with VMware ESXi 5.5, Patch Release ESXi550-201404001 to update your hosts with all bug fixes that were provided with ESXi 5.5 Update 1. If you upgrade to ESXi 5.5 Update 1 after applying these patches you will need to apply ESXi550-201404401-SG before regenerating the certificates.
For more information about this patch release, see KB 2076586.
The typical way to apply patches to ESXi hosts is through the VMware Update Manager. For details, see the Installing and Administering VMware vSphere Update Manager.
For ESXi 5.5 Hosts:
Apply Patch Release ESXi550-201404020, and then apply Patch Release ESXi550-201404001
For ESXi 5.5 Update 1 Hosts:
Apply the Patch Bulletin ESXi550-201404401-SG from the Patch Release ESXi550-201404001
Post installation instructions:
Generate new self-signed certificate
- Log in to the ESXi Shell as a user with administrator privileges.
- Run commands cd /etc/vmware/ssl and ls -l
- In the directory /etc/vmware/ssl, back up any existing certificate and key to a storage persistent directory (under /vmfs/....).
mv rui.crt /vmfs/volumes/datastore1/orig.rui.crt
mv rui.key /vmfs/volumes/datastore1/orig.rui.key
- Run the command /sbin/generate-certificates to generate new certificates.
Note:: You might see the following error message:
WARNING: can't open config file: /usr/ssl/openssl.cnf
WARNING: can't open config file: /etc/pki/tls/openssl.cnf
You can ignore this message as the new certificates are generated successfully.
- To verify that the host has successfully generated new certificates, run the ls -la command and compare the time stamps of the new certificate files with orig.rui.crt and orig.rui.key
- To set the sticky bit back, run the chmod +t rui.crt and chmod +t rui.key commands.
- Restart the host.
Generating the certificates places them in the correct location. Alternatively, you can put the host into maintenance mode, install the new certificate, and then use the Direct Console User Interface (DCUI) to restart the management agents.
Note: You will need to reconnect to vCenter Server after restarting the Host. When you right-click and select Connect, the following warning message might be displayed:
Authenticity of the hosts's SSL certificate is not verified.
Close this message and re-enter the root credentials in the Host Connection wizard to successfully reconnect to the vCenter Server.
You can also configure CA signed certificates for your ESXi 5.5 hosts. For details see Configuring CA signed certificates for ESXi 5.x hosts (2015499).
- Log in to the ESXi host service console as root, either through SSH or the physical console.
Enter the current root password when prompted.
- Change the root password by running the following command:
- Enter the new root password, press Enter. Enter the password a second time to verify. ESXi warns you about nonsecure passwords, but does not prevent you from using them.
Note: If the problem persists after completing the steps in this article, file a support request with VMware Support and note this KB article ID (2076665) in the problem description. For more information, see Filing a Support Request in My VMware (2006985).