VMware Horizon View and the Heartbleed Bug (2076796)
These components of VMware Horizon View 5.3 Feature Pack 1 uses OpenSSL 1.0.1 for TLS/SSL encryption and is therefore vulnerable to this bug:
- In VMware Horizon View 5.3 Feature Pack 1, the HTML Access component of the Remote Experience Agent
These Horizon View clients also use OpenSSL 1.0.1:
- VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x
- VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x
- VMware Horizon View Client for Windows 2.3.x
Other Horizon View clients, servers, and agents not listed above do not use the vulnerable version of the OpenSSL library, and they are not affected by the Heartbleed bug.
If you did not deploy VMware Horizon View 5.3 Feature Pack 1 — specifically, the HTML Access component of the Remote Experience Agent — or any of the listed clients, you are not affected by this vulnerability.
If you deploy only these components of the Remote Experience Agent in View 5.3 Feature Pack 1, you are not vulnerable:
- Flash URL Redirection
- Real-Time Audio-Video
- Unity Touch
- Windows 7 Multimedia Redirection (MMR)
If you are using VMware View 5.3 Feature Pack 1, and you installed the HTML Access component of the Remote Experience Agent, you must perform these steps:
- Upgrade to the VMware View 5.3 Feature Pack 2 release.
- Download the Remote Experience Agent installer at My VMware.
32-bit installer file: VMware-Horizon-View-5.3-Remote-Experience-Agent-2.0-1744521
64-bit installer file: VMware-Horizon-View-5.3-Remote-Experience-Agent-x64-2.0-1744521
- Run the Remote Experience Agent installer. The old version is automatically removed and replaced with the new one.
- Perform these post-upgrade actions:
- If you used a CA-signed certificate on your HTML Access Agent:
- Obtain a new CA-signed certificate. For more information, see Obtaining SSL Certificates for VMware Horizon View Servers section in Obtaining SSL Certificates for VMware Horizon View Servers Guide.
- Change the certificate used by your HTML Access Agent. For more information, see Configure HTML Access Agents to Use New SSL Certificates in VMware Horizon View Feature Pack Installation and Administration section in VMware Horizon View Feature Pack Installation and Administration Guide.
- Revoke the old SSL certificate. (Contact your SSL certificate vendor for details).
- If you are using the default self-signed certificates on your HTML Access Agent, a new certificate will be generated automatically during installation.
- VMware recommends that potential users of an HTML Access Agent generate new passwords for their domain account.
32-bit installer file: VMware-Horizon-View-Client-x86-2.3.3-1745122.exe
Download for 64-bit Windows client is available at My VMware.
64-bit installer file: VMware-Horizon-View-Client-x86_64-2.3.3-1745122.exe
Frequently Asked Questions
Do I need to upgrade or change other View servers, such as View Connection Server, Transfer Server, or Security Server?
No. None of the previously released versions of those servers include the vulnerable version of the OpenSSL software.
If I installed the HTML Access component from Horizon View 5.3 Feature Pack 1 on my Connection Server, is it vulnerable?
No. That part of the installation does not include the OpenSSL software.
Will the new clients continue to work with the previous versions of View?
Yes. The upgraded clients will continue to work with View 4.x and 5.x servers.
If I installed the HTML Access component from a different Feature Pack, is it vulnerable?
No. Only Horizon View 5.3 Feature Pack 1 has the vulnerability.
Are the new, safe iOS and Android clients available from the iTunes, Amazon Android, and Google Play stores?
The updated safe clients are available from the iTunes and Google Play stores. The updated client is submitted to Amazon and should be available shortly.