The troubling Heartbleed SSL vulnerability that’s causing a stir this week also affects many VMware products.
The weakness in the OpenSSL protocol revealed this week affects 66% of Web servers and allows anyone to read the memory of systems secured with the problematic OpenSSL software. The problem had gone undetected for two years and analysts are confirming it’s as bad as advertised, potentially putting millions of passwords and other secure information at risk.
In a KnowledgeBase article, VMware listed its products that have shipped with the vulnerable OpenSSL 1.0.1. They include ESXi 5.5, vCenter Server 5.5 and vCloud Automation Center 5.1.x and 5.2.x. Earlier versions of ESXi and vCenter Server are not affected.
Microsoft supporters are having a field day with the news, quick to point out that Hyper-V and Azure aren’t affected and poking fun at VMware’s prior claims of being more secure. So just how big of a deal is this for shops running VMware?
“It’s both a fantastically world-ending, huge deal that we should consider turning the Internet off for — and not a big deal at all,” said Trevor Pott, IT consultant for eGeek Consulting.
The potential vulnerability is scary, but not necessarily because VMware’s products are affected.
“The thing is, vSphere is rarely open to the outside world,” Pott said. “So, theoretically I could crack your SSL if I was sitting on your network sniffing your traffic. But if I’m behind your firewall sniffing your network traffic, you’ve got bigger problems than this.
“VMware and everybody who was vulnerable to this had the code to fix it in hours. So that means, if there isn’t a patch out for VMware’s products yet, there will be in a matter of days.”
Any Internet-facing device, including the dozens or hundreds found on a corporate network, are potentially at risk, but virtualized workloads may actually be easier to protect, Pott added.
“In a virtual environment, I can easily stand up a firewall in front of systems that I can’t patch, and I can essentially create an SSL proxy where the proxy facing the Internet is, in fact, patched,” he said. “The fact that I’m in a virtual environment means I could stand up a solution to this in minutes.”