Search the VMware Knowledge Base (KB)
View by Article ID

VMware assessment of OpenSSL security vulnerabilities disclosed June 5, 2014 (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470) (2079783)

  • 21 Ratings

Purpose

On June 5, 2014, updates for OpenSSL 0.9.8, 1.0.0 and 1.0.1 addressing several security vulnerabilities were released (OpenSSL Security Advisory [05 Jun 2014]). The VMware Security Engineering, Communications, and Response group (vSECR) has concluded its assessment of these issues for all VMware products and services. Product releases that have an updated version or patches are currently listed in VMware Security Advisory VMSA-2014-0006.

Note: This article is applicable to the following products:
  • VMware Horizon DaaS Bundle (VDI/RDSH Edition)
  • VMware Horizon Cloud with Hosted Infrastructure (formerly known as VMware Horizon Air Cloud-Hosted)
  • VMware Horizon DaaS On Premise Platform

Resolution

Products

The following OpenSSL Security security vulnerabilities were disclosed on June 5 2014. We have reviewed the CVEs below and our assessment is as follows:
  • CVE-2014-0224 – Important Severity
  • CVE-2014-0198 – Moderate Severity
  • CVE-2010-5298 – Moderate Severity
  • CVE-2014-3470 – Moderate Severity
  • CVE-2014-0221 – No impact on VMware products
  • CVE-2014-0195 – No impact on VMware products
Of the disclosed vulnerabilities, only CVE-2014-0224 has been rated severity Important. It may lead to a Man-in-the-Middle attack and may impact VMware products.

With respect to CVE-2014-0224, US-CERT has assigned a Base CVSS score of 6.4 out of 10 to this vulnerability. VMware's severity assessment has assigned a severity rating of Important based on the number of pre-conditions that need to exist for the vulnerability to be exploited, which aligns with the US-CERT CVSS rating. VMware's Severity rating system and Security Response policy are described on the Security Response Policy page.

VMware is now working on remediation for affected products in line with our Security Response Policy.

VMware's committed response time depends on the severity of the reported vulnerability.
Critical
VMware will begin work on a fix or corrective action immediately. VMware will provide the fix or corrective action to customers in the shortest commercially reasonable time.

Important
VMware will deliver a fix with the next planned maintenance or update release of the product and where relevant, VMware will release the fix in the form of a patch.

Moderate, Low
VMware will deliver a fix with the next planned minor or major release of the product.

Services

  • AirWatch MDM – Not affected
  • Horizon DaaS – Not affected
  • VMare vRealize Business Advanced and Enterprise (formerly known as IT Business Management) – Not affected
  • Socialcast - Affected and remediated on June 5, 2014
  • VMware vCloud Air - Not affected, except for vCloud Air Edge Gateway to Edge Gateway connections. Remediation complete.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 21 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 21 Ratings
Actions
KB: