-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-040 Title: VMware Security Advisories (VMSA-2014-0004.6) Version history: 22.04.2014 Initial publication Summary ======= VMware product updates address OpenSSL security vulnerabilities. See [2] for more information about the openSSL (HeartBleed) vulnerability. CVE-2014-0076 CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/AU:N/C:P/I:N/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 CVE-2014-0160 CVSS Severity (version 2.0): CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 10.0 Vulnerable systems ================== VMware vCenter Server 5.5 VMware vCenter Server 5.5 Update 1 ESXi 5.5 without patch ESXi550-201404020 ESXi 5.5 Update 1 without patch ESXi550-201404001 VMware Workstation 10.x prior to version 10.0.2 VMware Fusion 6.x prior to version 6.0.3 VMware Player 6.x prior to version 6.0.2 NSX for Multi-Hypervisor 4.0.x prior to 4.0.2 NSX for Multi-Hypervisor 4.1.x prior to 4.1.1 NSX 6.0.x for vSphere prior to 6.0.4 NVP 3.x prior to 3.2.2 Horizon Mirage Edge Gateway 4.4.x prior to 4.4.2 Horizon View 5.3 Feature Pack 1 Horizon View Client 2.1.x, 2.2.x and 2.3.x for Android and IOS Horizon View Client 2.3.x for Windows Horizon Workspace Server 1.0 Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-1.5.0.0-1736237.x86_64 Horizon Workspace Server 1.8.x prior to 1.8.1 Horizon Workspace Client 1.5.x Horizon Workspace Client 1.8 prior to 1.8.1 OVF Tool prior to 3.5.1 VMware vCloud Networking and Security (vCNS) prior to 5.5.2 VMware vCloud Networking and Security (vCNS) prior to 5.1.4 vCloud Automation Center (vCAC) 6.x vSphere Big Data Extensions 1.1 Client Integration Plug-In 5.5 vCloud Director 5.5 What can you do? ================ To remediate the issue for products that have updated versions of patches available, perform these steps: Deploy the VMware product update or product patches. See [1]. Replace certificates Reset passwords See [2] for additional actions you may have to take. More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2014-0003.html [2] http://cert.europa.eu/static/SecurityAdvisories/CERT-EU-SA2014-034.txt [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJTVm4zAAoJEPpzpNLI8SVoBoQP/AwyOR3ZlSzrK44GP3kHCuej Fv2Jf1M6rgaLeZgXQUk6TvgzWaGAutkBI+zNhLOexJ/no4yuD3fUr06u19BAHOUF IsN88i1lNnNWB6UIpADR2L9+6zCMSR74Cecxw6YiHfft+164sxoLWRXXTCo/mZ7y e3PjBT/6HlZ6bA4sPRpi2+NwhQhrQmLyTzqkayb+tNvRVeyvr8FUL068hw/OpQpa Oq0uhj8nRTJxS7gqBSVtA6f3nSrjZ++idNVZX4l0iEOwjtqi+S4H4bc8SfMVCcip RymOlzzqFeZeOq5oWaBLELuDUU48Ckj98PrN17sH2t3VeShGVOHomCNSajXrxxsZ XrZ1n/JW/Zl083DJEO2ZFtfvcQAFOqZL5mjtFtPL2rtTr9f0X9R3ZoaF8zFJblKV drX04iLtyeOen/i/DjswZJP6B3pEZU/WwpuZo2HJMD1thGJze395gZU/J/ZwtAxR 4F9CB/zAPPWev9mJ0V7M7WPx69jdSp3tv/MVumwgdPXtUbXgSQPw1cNXVA0rNC/n avukvA1jbh7RJqDL+daWW0+B2EnF8aVkwXKFmvKvdUmodnKyYpaxqosyMK58/ZUk NDgzPw0igVzJq8rgsyg22z9WcPCEC8hdmWObM9NaHFbm/yOirDJ2VLyu60FzaAiO wHcoqumQI/AIvTxh3JDZ =B6jq -----END PGP SIGNATURE-----