VMware Patches ESXi Against OpenSSL Flaw, But Many Other Products Still Vulnerable

While the group of vulnerabilities that the OpenSSL Project patched last week hasn’t grown into the kind of mess that the Heartbleed flaw did, the vulnerabilities still affect a huge range of products. Vendors are still making their way through the patching process, and VMware has released an advisory confirming that a long list of its products are vulnerable to the latest OpenSSL bugs. The company said in the advisory that there is only a patch available for one of its products right now, ESXi 5.5. VMware sells a huge line of products that includes both clients and servers, which makes the patching process for the most serious of the recent OpenSSL vulnerabilities even more onerous. The critical vulnerability in this group is CVE-2014-0224, a flaw that could enable an attacker to intercept and decrypt traffic between vulnerable clients and a vulnerable server. Both the client and server must be running flawed versions of the software in order for the attack to succeed.

VMware said in its advisory that various products are affected differently by the vulnerability.

VMware said in its advisory that various products are affected differently by the vulnerability, depending upon whether they’re acting as clients or servers.

“CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients,” the advisory says.

“CVE-2014-0224 may affect products differently depending on whether the product is acting as a client or a server and of which version of OpenSSL the product is using.Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN.”

The list of other VMware products that are still vulnerable to CVE-2014-0224 and for which no patch is yet available is long, and includes both clients and servers. The company said that the patches for these products, which include other versions of ESXi, several versions of vCenter and vSphere, are in the works.