BugTraq
NEW : VMSA-2014-0006 - VMware product updates address OpenSSL security vulnerabilities Jun 11 2014 03:02AM
\VMware Security Response Center\ (security vmware com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006
Synopsis: VMware product updates address OpenSSL
security vulnerabilities
Issue date: 2014-06-10
Updated on: 2014-06-10 (initial release)
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

ESXi 5.5 prior to ESXi550-201406401-SG

3. Problem Description

a. OpenSSL update for multiple products.

OpenSSL libraries have been updated in multiple products to
versions 0.9.8za and 1.0.1h in order to resolve multiple security
issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the names CVE-2014-0224, CVE-2014-0198,
CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
these issues. The most important of these issues is
CVE-2014-0224.

CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
be of moderate severity. Exploitation is highly unlikely or is
mitigated due to the application configuration.

CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
Security Advisory (see Reference section below), do not affect
any VMware products.

CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
is running a vulnerable version of OpenSSL 1.0.1 and clients are
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
the server will mitigate this issue for both the server and all
affected clients.

CVE-2014-0224 may affect products differently depending on
whether the product is acting as a client or a server and of
which version of OpenSSL the product is using. For readability
the affected products have been split into 3 tables below,
based on the different client-server configurations and
deployment scenarios.

MITIGATIONS

Clients that communicate with a patched or non-vulnerable server
are not vulnerable to CVE-2014-0224. Applying these patches to
affected servers will mitigate the affected clients (See Table 1
below).

Clients that communicate over untrusted networks such as public
Wi-Fi and communicate to a server running a vulnerable version of
OpenSSL 1.0.1. can be mitigated by using a secure network such as
VPN (see Table 2 below).

Clients and servers that are deployed on an isolated network are
less exposed to CVE-2014-0224 (see Table 3 below). The affected
products are typically deployed to communicate over the
management network.

RECOMMENDATIONS

VMware recommends customers evaluate and deploy patches for
affected Servers in Table 1 below as these patches become
available. Patching these servers will remove the ability to
exploit the vulnerability described in CVE-2014-0224 on both
clients and servers. VMware recommends customers consider
applying patches to products listed in Table 2 & 3 as required.

Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.

Table 1
=======
Affected servers running a vulnerable version of OpenSSL 1.0.1.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 5.5 ESXi ESXi550-
201406401-SG

Big Data Extensions 1.1 patch pending
Charge Back Manager 2.6 patch pending

Horizon Workspace Server
GATEWAY 1.8.1 patch pending
Horizon Workspace Server
GATEWAY 1.5 patch pending

Horizon Workspace Server
DATA 1.8.1 patch pending

Horizon Mirage Edge Gateway 4.4.2 patch pending
Horizon View 5.3.1 patch pending

Horizon View Feature Pack 5.3 SP2 patch pending

NSX for Multi-Hypervisor 4.1.2 patch pending
NSX for Multi-Hypervisor 4.0.3 patch pending
NSX for vSphere 6.0.4 patch pending
NVP 3.2.2 patch pending
vCAC 6.0.1 patch pending

vCloud Networking and Security 5.5.2 patch pending
vCloud Networking and Security 5.1.2 patch pending

vFabric Web Server 5.3.4 patch pending

vCHS - DPS-Data Protection 2.0 patch pending
Service

Table 2
========
Affected clients running a vulnerable version of OpenSSL 0.9.8
or 1.0.1 and communicating over an untrusted network.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCSA 5.5 patch pending
vCSA 5.1 patch pending
vCSA 5.0 patch pending

ESXi 5.1 ESXi patch pending
ESXi 5.0 ESXi patch pending

Workstation 10.0.2 any patch pending
Workstation 9.0.3 any patch pending
Fusion 6.x OSX patch pending
Fusion 5.x OSX patch pending
Player 10.0.2 any patch pending
Player 9.0.3 any patch pending

Chargeback Manager 2.5.x patch pending

Horizon Workspace Client for 1.8.1 OSX patch pending
Mac
Horizon Workspace Client for 1.5 OSX patch pending
Mac
Horizon Workspace Client for 1.8.1 Windows patch pending
Windows
Horizon Workspace Client for 1.5 Windows patch pending

OVF Tool 3.5.1 patch pending
OVF Tool 3.0.1 patch pending

vCenter Operations Manager 5.8.1 patch pending

vCenter Support Assistant 5.5.0 patch pending
vCenter Support Assistant 5.5.1 patch pending

vCD 5.1.2 patch pending
vCD 5.1.3 patch pending
vCD 5.5.1.1 patch pending
vCenter Site Recovery Manager 5.0.3.1 patch pending

Table 3
=======
The following table lists all affected clients running a
vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over an untrusted network.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server 5.5 any patch pending
vCenter Server 5.1 any patch pending
vCenter Server 5.0 any patch pending

Update Manager 5.5 Windows patch pending
Update Manager 5.1 Windows patch pending
Update Manager 5.0 Windows patch pending

Config Manager (VCM) 5.6 patch pending

Horizon View Client 5.3.1 patch pending
Horizon View Client 4.x patch pending
Horizon Workspace 1.8.1 patch pending
Horizon Workspace 1.5 patch pending


ITBM Standard 1.0.1 patch pending
ITBM Standard 1.0 patch pending

Studio 2.6.0.0 patch pending

Usage Meter 3.3 patch pending
vCenter Chargeback Manager 2.6 patch pending
vCenter Converter Standalone 5.5 patch pending
vCenter Converter Standalone 5.1 patch pending
vCD (VCHS) 5.6.2 patch pending

vCenter Site Recovery Manager 5.5.1 patch pending
vCenter Site Recovery Manager 5.1.1 patch pending

vFabric Application Director 5.2.0 patch pending
vFabric Application Director 5.0.0 patch pending
View Client 5.3.1 patch pending
View Client 4.x patch pending
VIX API 5.5 patch pending
VIX API 1.12 patch pending

vMA (Management Assistant) 5.1.0.1 patch pending

VMware Data Recovery 2.0.3 patch pending

VMware vSphere CLI 5.5 patch pending

vSphere Replication 5.5.1 patch pending
vSphere Replication 5.6 patch pending
vSphere SDK for Perl 5.5 patch pending
vSphere Storage Appliance 5.5.1 patch pending
vSphere Storage Appliance 5.1.3 patch pending
vSphere Support Assistant 5.5.1 patch pending
vSphere Support Assistant 5.5.0 patch pending
vSphere Virtual Disk 5.5 patch pending
Development Kit
vSphere Virtual Disk 5.1 patch pending
Development Kit
vSphere Virtual Disk 5.0 patch pending
Development Kit

4. Solution

ESXi 5.5
----------------------------

Download:
https://www.vmware.com/patchmgr/download.portal

Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2077359

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470

https://www.openssl.org/news/secadv_20140605.txt

- -----------------------------------------------------------------------

6. Change Log

2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of
ESXi 5.5 updates on 2014-06-10

- -----------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

Twitter
https://twitter.com/VMwareSRC

Copyright 2014 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTl8A4DEcm8Vbi9kMRAjg8AKC9gwyh7upCC9otefXw0XGS4slpiQCfS76d
GxFcSFNuG8I+AgarnsCOuqo=
=MWQx
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus