It seems to be patch Saturday as today a whole bunch of updates of products were released. All of these updates relate to the heartbleed security bug fix. There is no point in listing every single product as I assume you all know the VMware download page by now, but I do want to link the most commonly used for your convenience:
- VMware vCenter Server 5.5 U1a
- VMware vCenter Server 5.5c
- ESXi KB:VMware ESXi 5.5, Patch ESXi550-201404420-SG
- ESXi KB:VMware ESXi 5.5, Patch Release ESXi550-201404001
- VMware vCloud Networking and Security 5.5.2
Time to update, but before you do… if you are using NFS based storage make sure to read this first before jumping straight to vSphere 5.5 U1a!
Jason Boche (@jasonboche) says
I thought the VCVA wasn’t vulnerable? Will have to revisit VMware’s KB article on all impacted products.
Jason Boche (@jasonboche) says
Ok it’s still unclear to me why VCSA 5.5u1 was revd to 5.5u1a. Everywhere I look it is listed as NOT impacted by heartbleed. The release notes for vCenter Server 5.5u1a explicitly state the update is for heartbleed but it would seem that only applies to the Windows version, SSO specifically. If you’re able to provide any insight on this Duncan, that would be appreciated.
Avi says
I guess the reason you have an heartbleed update for VCVA5.5 is because of the VMware Client Integration Plug-in is a client side component that is present when users connect to the vSphere Web Client to upload OVF files, for example. Version 5.5 of this component is affected by the OpenSSL heartbleed vulnerability. This version is part of vSphere 5.5.
This KB also speaks about this in brief, http://kb.vmware.com/kb/2076692
Patrick Hurley says
Duncan, do you know if these patches can be applied to the HP Proliant customized images here:
http://h18004.www1.hp.com/products/servers/software/vmware/esxi-image.html?
Joerg Behrens says
@Jason,
its not the VCSA directly which is effected but it delivers the client integration plugin for the browser which is effected.
Regards,
Joerg