Earlier this year, a vulnerability was discovered in a version of the cryptographic library called OpenSSL. This library is used by server platforms to encrypt information between the server and clients who use it. The vulnerability is referred to as the HeartBleed Bug.
In the case of VMware, OpenSSL is used to protect communication between many different parts of your VMware architecture. Since the vulnerability affects a specific version of the OpenSSL libraries, not all VMware products were affected. VMware’s flagship product – vSphere 5.5 (vCenter Server and the ESXi hypervisor) is affected by this issue. VMware has released updates that eliminate this vulnerability a short while ago. It has been available for a long enough time to have proven itself stable, and Affiliated is recommending that our customers protect themselves with this update.
If you are running vSphere 5.5, now is the time to begin patching your VMware servers. If you are running an earlier version of vSphere and were waiting until this was resolved, you can begin to plan your upgrade.
The upgrades you should implement are:
vCenter Server – Upgrade to 5.5.0c or 5.5 Update 1a
ESXi – Apply the latest patches. Specifically:
- ESXi550-201404420 for ESXi 5.5
- ESXi550-201404401 for ESXi 5.5 U1
If you would like help in planning or implementing these patches, let us know! We can help make this patching as painless as possible.
The complete list of VMware software affected by Heartbleed can be found in the VMware Knowledge Base.
Further information on the HeartBleed Open SSL Vulnerability: