what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2014-0006

VMware Security Advisory 2014-0006
Posted Jun 11, 2014
Authored by VMware | Site vmware.com

VMware Security Advisory 2014-0006 - VMware product updates address OpenSSL security vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
SHA-256 | e32f3b5a005455ef9b833d1324278466b8f0efab24e79651b63fe8563d8dd79c

VMware Security Advisory 2014-0006

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006
Synopsis: VMware product updates address OpenSSL
security vulnerabilities
Issue date: 2014-06-10
Updated on: 2014-06-10 (initial release)
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

ESXi 5.5 prior to ESXi550-201406401-SG


3. Problem Description

a. OpenSSL update for multiple products.

OpenSSL libraries have been updated in multiple products to
versions 0.9.8za and 1.0.1h in order to resolve multiple security
issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the names CVE-2014-0224, CVE-2014-0198,
CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
these issues. The most important of these issues is
CVE-2014-0224.

CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
be of moderate severity. Exploitation is highly unlikely or is
mitigated due to the application configuration.

CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
Security Advisory (see Reference section below), do not affect
any VMware products.

CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
is running a vulnerable version of OpenSSL 1.0.1 and clients are
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
the server will mitigate this issue for both the server and all
affected clients.

CVE-2014-0224 may affect products differently depending on
whether the product is acting as a client or a server and of
which version of OpenSSL the product is using. For readability
the affected products have been split into 3 tables below,
based on the different client-server configurations and
deployment scenarios.

MITIGATIONS

Clients that communicate with a patched or non-vulnerable server
are not vulnerable to CVE-2014-0224. Applying these patches to
affected servers will mitigate the affected clients (See Table 1
below).

Clients that communicate over untrusted networks such as public
Wi-Fi and communicate to a server running a vulnerable version of
OpenSSL 1.0.1. can be mitigated by using a secure network such as
VPN (see Table 2 below).

Clients and servers that are deployed on an isolated network are
less exposed to CVE-2014-0224 (see Table 3 below). The affected
products are typically deployed to communicate over the
management network.

RECOMMENDATIONS

VMware recommends customers evaluate and deploy patches for
affected Servers in Table 1 below as these patches become
available. Patching these servers will remove the ability to
exploit the vulnerability described in CVE-2014-0224 on both
clients and servers. VMware recommends customers consider
applying patches to products listed in Table 2 & 3 as required.

Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.

Table 1
=======
Affected servers running a vulnerable version of OpenSSL 1.0.1.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 5.5 ESXi ESXi550-
201406401-SG

Big Data Extensions 1.1 patch pending
Charge Back Manager 2.6 patch pending

Horizon Workspace Server
GATEWAY 1.8.1 patch pending
Horizon Workspace Server
GATEWAY 1.5 patch pending

Horizon Workspace Server
DATA 1.8.1 patch pending

Horizon Mirage Edge Gateway 4.4.2 patch pending
Horizon View 5.3.1 patch pending

Horizon View Feature Pack 5.3 SP2 patch pending

NSX for Multi-Hypervisor 4.1.2 patch pending
NSX for Multi-Hypervisor 4.0.3 patch pending
NSX for vSphere 6.0.4 patch pending
NVP 3.2.2 patch pending
vCAC 6.0.1 patch pending

vCloud Networking and Security 5.5.2 patch pending
vCloud Networking and Security 5.1.2 patch pending

vFabric Web Server 5.3.4 patch pending

vCHS - DPS-Data Protection 2.0 patch pending
Service

Table 2
========
Affected clients running a vulnerable version of OpenSSL 0.9.8
or 1.0.1 and communicating over an untrusted network.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCSA 5.5 patch pending
vCSA 5.1 patch pending
vCSA 5.0 patch pending


ESXi 5.1 ESXi patch pending
ESXi 5.0 ESXi patch pending

Workstation 10.0.2 any patch pending
Workstation 9.0.3 any patch pending
Fusion 6.x OSX patch pending
Fusion 5.x OSX patch pending
Player 10.0.2 any patch pending
Player 9.0.3 any patch pending

Chargeback Manager 2.5.x patch pending

Horizon Workspace Client for 1.8.1 OSX patch pending
Mac
Horizon Workspace Client for 1.5 OSX patch pending
Mac
Horizon Workspace Client for 1.8.1 Windows patch pending
Windows
Horizon Workspace Client for 1.5 Windows patch pending

OVF Tool 3.5.1 patch pending
OVF Tool 3.0.1 patch pending

vCenter Operations Manager 5.8.1 patch pending

vCenter Support Assistant 5.5.0 patch pending
vCenter Support Assistant 5.5.1 patch pending

vCD 5.1.2 patch pending
vCD 5.1.3 patch pending
vCD 5.5.1.1 patch pending
vCenter Site Recovery Manager 5.0.3.1 patch pending

Table 3
=======
The following table lists all affected clients running a
vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over an untrusted network.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server 5.5 any patch pending
vCenter Server 5.1 any patch pending
vCenter Server 5.0 any patch pending

Update Manager 5.5 Windows patch pending
Update Manager 5.1 Windows patch pending
Update Manager 5.0 Windows patch pending

Config Manager (VCM) 5.6 patch pending

Horizon View Client 5.3.1 patch pending
Horizon View Client 4.x patch pending
Horizon Workspace 1.8.1 patch pending
Horizon Workspace 1.5 patch pending


ITBM Standard 1.0.1 patch pending
ITBM Standard 1.0 patch pending

Studio 2.6.0.0 patch pending

Usage Meter 3.3 patch pending
vCenter Chargeback Manager 2.6 patch pending
vCenter Converter Standalone 5.5 patch pending
vCenter Converter Standalone 5.1 patch pending
vCD (VCHS) 5.6.2 patch pending

vCenter Site Recovery Manager 5.5.1 patch pending
vCenter Site Recovery Manager 5.1.1 patch pending

vFabric Application Director 5.2.0 patch pending
vFabric Application Director 5.0.0 patch pending
View Client 5.3.1 patch pending
View Client 4.x patch pending
VIX API 5.5 patch pending
VIX API 1.12 patch pending

vMA (Management Assistant) 5.1.0.1 patch pending


VMware Data Recovery 2.0.3 patch pending

VMware vSphere CLI 5.5 patch pending

vSphere Replication 5.5.1 patch pending
vSphere Replication 5.6 patch pending
vSphere SDK for Perl 5.5 patch pending
vSphere Storage Appliance 5.5.1 patch pending
vSphere Storage Appliance 5.1.3 patch pending
vSphere Support Assistant 5.5.1 patch pending
vSphere Support Assistant 5.5.0 patch pending
vSphere Virtual Disk 5.5 patch pending
Development Kit
vSphere Virtual Disk 5.1 patch pending
Development Kit
vSphere Virtual Disk 5.0 patch pending
Development Kit

4. Solution

ESXi 5.5
----------------------------

Download:
https://www.vmware.com/patchmgr/download.portal

Release Notes and Remediation Instructions:
http://kb.vmware.com/kb/2077359

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470

https://www.openssl.org/news/secadv_20140605.txt

- -----------------------------------------------------------------------

6. Change Log

2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of
ESXi 5.5 updates on 2014-06-10

- -----------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

Twitter
https://twitter.com/VMwareSRC

Copyright 2014 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTl8A4DEcm8Vbi9kMRAjg8AKC9gwyh7upCC9otefXw0XGS4slpiQCfS76d
GxFcSFNuG8I+AgarnsCOuqo=
=MWQx
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close