Search This Blog

Saturday, April 12, 2014

HeartBleed Bug on Virtualization Platform


image
Heartbleed Bug is a serious vulnerability in the popular OpenSSL. This weakness allows stealing the information protected, under normal condition by the SSL / TLS encryption used to secure the internet. For more info, please click here.
Next question:
Does your virtualization infrastructure vulnerable on HeartBleed Bug ?
This is what I have found out during searching to check if my infrastructure is affected.
Vmware Platform
Yes. Vmware has confirmed the following products are affected:-
  • ESXi 5.5
  • NSX-MH 4.x
  • NSX-V 6.0.x
  • NVP 3.x
  • vCenter Server 5.5
  • vFabric Web Server 5.0.x – 5.3.x
  • VMware Fusion 6.0.x
  • VMware Horizon Mirage Edge Gateway 4.4.x
  • VMware Horizon View 5.2 Feature Pack 2
  • VMware Horizon View 5.3 Feature Pack 1
  • VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x
  • VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x
  • VMware Horizon View Client for Windows 2.3.x
  • VMware Horizon Workspace 1.0
  • VMware Horizon Workspace 1.5
  • VMware Horizon Workspace 1.8
  • VMware Horizon Workspace Client for Macintosh 1.5.1
  • VMware Horizon Workspace Client for Macintosh 1.5.2
  • VMware Horizon Workspace Client for Windows 1.5.1
  • VMware Horizon Workspace Client for Windows 1.5.2
  • VMware Horizon Workspace for Macintosh 1.8
  • VMware Horizon Workspace for Windows 1.8
  • VMware OVF Tool 3.5.0
  • VMware vCloud Automation Center (vCAC) 5.1.x
  • VMware vCloud Automation Center (vCAC) 5.2.x
  • VMware vCloud Networking and Security (vCNS) 5.1.3
  • VMware vCloud Networking and Security (vCNS) 5.5.1
Vmware has published about it here. Most Vmware products which with OpenSSL 1.0.1 are affected
Citrix Platform [Update April 28, 2014]
At this moment, “No” for Citrix XenCenter and XenServer. But affected
  • Citrix Web Interface
Citrix has published about it here.

Microsoft Hyper-V Platform
No. Microsoft Hyper-V Platform does not use open-source cryptographic library (Open SSL).
Meanwhile, Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.
For more detail, please click here.
Summary
If you’re environment are running the above platform and under affected list, please act fast to protect it before too late.
More details:-

2 comments:

  1. As per Citrix website described, the Access Gateway, NetScaler and XenApp are not impacted, is your information mismatch?

    ReplyDelete
  2. Well, during write up yes. Just checked and update the info. It no longer impacted. Do refer to the link (as it is always update by principal) . Thanks for the input

    ReplyDelete