Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

NEW : VMSA-2014-0006 - VMware product updates address OpenSSL security vulnerabilities
From: "\"VMware Security Response Center\"" <security () vmware com>
Date: Tue, 10 Jun 2014 20:02:41 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006
Synopsis:    VMware product updates address OpenSSL 
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-06-10 (initial release)
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and 
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   ESXi 5.5 prior to ESXi550-201406401-SG


3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org)

      has assigned the names CVE-2014-0224, CVE-2014-0198, 
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is 
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL 
      Security Advisory (see Reference section below), do not affect
      any VMware products.     
  
      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below, 
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to 
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of 
      OpenSSL 1.0.1. can be mitigated by using a secure network such as 
      VPN (see Table 2 below).
      
      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network. 

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers. VMware recommends customers consider 
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1. 

      VMware                          Product  Running   Replace with/
      Product                         Version  on        Apply Patch 
      ==============                  =======  =======   =============
      ESXi                            5.5       ESXi     ESXi550-
                                                         201406401-SG 

      Big Data Extensions             1.1                patch pending 
      Charge Back Manager             2.6                patch pending 

      Horizon Workspace Server 
      GATEWAY                         1.8.1              patch pending 
      Horizon Workspace Server 
      GATEWAY                         1.5                patch pending 

      Horizon Workspace Server 
      DATA                            1.8.1              patch pending 

      Horizon Mirage Edge Gateway     4.4.2              patch pending 
      Horizon View                    5.3.1              patch pending 

      Horizon View Feature Pack       5.3 SP2            patch pending 

      NSX for Multi-Hypervisor        4.1.2              patch pending 
      NSX for Multi-Hypervisor        4.0.3              patch pending 
      NSX for vSphere                 6.0.4              patch pending 
      NVP                             3.2.2              patch pending 
      vCAC                            6.0.1              patch pending 

      vCloud Networking and Security  5.5.2              patch pending 
      vCloud Networking and Security  5.1.2              patch pending 

      vFabric Web Server              5.3.4              patch pending 

      vCHS - DPS-Data Protection      2.0                patch pending 
      Service

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8 
      or 1.0.1 and communicating over an untrusted network. 

      VMware                          Product  Running   Replace with/
      Product                         Version  on        Apply Patch 
      ==============                  =======  =======   =============
      vCSA                            5.5                patch pending 
      vCSA                            5.1                patch pending 
      vCSA                            5.0                patch pending 


      ESXi                            5.1       ESXi     patch pending 
      ESXi                            5.0       ESXi     patch pending  

      Workstation                     10.0.2    any      patch pending 
      Workstation                     9.0.3     any      patch pending 
      Fusion                          6.x       OSX      patch pending 
      Fusion                          5.x       OSX      patch pending 
      Player                          10.0.2    any      patch pending 
      Player                          9.0.3     any      patch pending 

      Chargeback Manager              2.5.x              patch pending 

      Horizon Workspace Client for    1.8.1    OSX       patch pending 
      Mac
      Horizon Workspace Client for    1.5      OSX       patch pending 
      Mac
      Horizon Workspace Client for    1.8.1    Windows   patch pending 
      Windows       
      Horizon Workspace Client for    1.5      Windows   patch pending 

      OVF Tool                        3.5.1              patch pending 
      OVF Tool                        3.0.1              patch pending 

      vCenter Operations Manager      5.8.1              patch pending 

      vCenter Support Assistant       5.5.0              patch pending 
      vCenter Support Assistant       5.5.1              patch pending 
      
      vCD                             5.1.2              patch pending    
      vCD                             5.1.3              patch pending 
      vCD                             5.5.1.1            patch pending 
      vCenter Site Recovery Manager   5.0.3.1            patch pending 

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
      over an untrusted network. 

      VMware                          Product  Running   Replace with/
      Product                         Version  on        Apply Patch 
      ==============                  =======  =======   =============
      vCenter Server                  5.5       any      patch pending
      vCenter Server                  5.1       any      patch pending
      vCenter Server                  5.0       any      patch pending

      Update Manager                  5.5       Windows  patch pending
      Update Manager                  5.1       Windows  patch pending
      Update Manager                  5.0       Windows  patch pending 

      Config Manager (VCM)            5.6                patch pending 

      Horizon View Client             5.3.1              patch pending 
      Horizon View Client             4.x                patch pending
      Horizon Workspace               1.8.1              patch pending 
      Horizon Workspace               1.5                patch pending     
 
   
      ITBM Standard                   1.0.1              patch pending 
      ITBM Standard                   1.0                patch pending 
   
      Studio                          2.6.0.0            patch pending 
    
      Usage Meter                     3.3                patch pending 
      vCenter Chargeback Manager      2.6                patch pending 
      vCenter Converter Standalone    5.5                patch pending 
      vCenter Converter Standalone    5.1                patch pending 
      vCD (VCHS)                      5.6.2              patch pending 
      
      vCenter Site Recovery Manager   5.5.1              patch pending 
      vCenter Site Recovery Manager   5.1.1              patch pending

      vFabric Application Director    5.2.0              patch pending 
      vFabric Application Director    5.0.0              patch pending 
      View Client                     5.3.1              patch pending 
      View Client                     4.x                patch pending
      VIX API                         5.5                patch pending 
      VIX API                         1.12               patch pending 
      
      vMA (Management Assistant)      5.1.0.1            patch pending     
  

      VMware Data Recovery            2.0.3              patch pending 
     
      VMware vSphere CLI              5.5                patch pending 
     
      vSphere Replication             5.5.1              patch pending 
      vSphere Replication             5.6                patch pending 
      vSphere SDK for Perl            5.5                patch pending 
      vSphere Storage Appliance       5.5.1              patch pending 
      vSphere Storage Appliance       5.1.3              patch pending 
      vSphere Support Assistant       5.5.1              patch pending 
      vSphere Support Assistant       5.5.0              patch pending
      vSphere Virtual Disk            5.5                patch pending 
      Development Kit                  
      vSphere Virtual Disk            5.1                patch pending 
      Development Kit
      vSphere Virtual Disk            5.0                patch pending 
      Development Kit
 
   4. Solution

   ESXi 5.5
   ----------------------------

   Download:
   https://www.vmware.com/patchmgr/download.portal

   Release Notes and Remediation Instructions:
   http://kb.vmware.com/kb/2077359

   5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
   
   https://www.openssl.org/news/secadv_20140605.txt

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

- -----------------------------------------------------------------------
 
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTl8A4DEcm8Vbi9kMRAjg8AKC9gwyh7upCC9otefXw0XGS4slpiQCfS76d
GxFcSFNuG8I+AgarnsCOuqo=
=MWQx
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


  By Date           By Thread  

Current thread:
  • NEW : VMSA-2014-0006 - VMware product updates address OpenSSL security vulnerabilities \"VMware Security Response Center\" (Jun 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]