VMware product updates address OpenSSL security vulnerabilities

2014-04-1400:00:00

www.vmware.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

JSON

a. Information Disclosure vulnerability in OpenSSL third party library

The OpenSSL library is updated to version openssl-1.0.1g to resolve multiple security issuesThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0076 and CVE-2014-0160 to these issues.

CVE-2014-0160 is known as the Heartbleed issue. More information on this issue may be found in the reference section.

To remediate the issue for products that have updated versions or patches available, perform these steps:

Section 4 lists product-specific references to installation instructions and certificate management documentation.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

Note: Products that are not affected by thses issues have been documented in VMware Knowledge Base article 2076225.

CPENameOperatorVersion
vcenter serverlt5.5.0c
vcenter serverlt5.5 Update 1a
esxiltESXi550-201404420
esxiltESXi550-201404401
workstationlt10.0.2
fusionlt6.0.3
playerlt6.0.2
nsx for multi-hypervisorlt4.0.2
nsx for multi-hypervisorlt4.1.1
nsx for vspherelt6.0.4

Name	Operator	Version
vcenter server	lt	5.5.0c
vcenter server	lt	5.5 Update 1a
esxi	lt	ESXi550-201404420
esxi	lt	ESXi550-201404401
workstation	lt	10.0.2
fusion	lt	6.0.3
player	lt	6.0.2
nsx for multi-hypervisor	lt	4.0.2
nsx for multi-hypervisor	lt	4.1.1
nsx for vsphere	lt	6.0.4