VMware Response to CVE-2020-1967: OpenSSL 1.1.1 Segmentation fault in SSL_check_chain (CVE-2020-1967)
Article ID: 332342
Updated On:
Products
VMware Cloud Director
VMware HCX
Issue/Introduction
On April 21, 2020, an Important vulnerability in OpenSSL 1.1.1 identified by CVE-2020-1967 was disclosed that may allow for a Denial of Service.
VMware Security Engineering, Communications, and Response (vSECR) has evaluated which VMware products ship with vulnerable versions of OpenSSL 1.1.1 and may be potentially affected by this issue.
VMware Security Engineering, Communications, and Response (vSECR) has evaluated which VMware products ship with vulnerable versions of OpenSSL 1.1.1 and may be potentially affected by this issue.
Resolution
Evaluation Summary:
- CVE-2020-1967 is a Denial of Service issue in the Important severity range. Review our VMware Security Response Policies for information on severity classifications.
- OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d.
- This issue does not affect OpenSSL 1.0.2 and OpenSSL 1.1.0.
Note: VMware has a Premium Level Support contract with OpenSSL Software Services which allows VMware to receive information on OpenSSL 1.0.2 and OpenSSL 1.0.2 patches when needed.
- vCenter Server and ESXi are unaffected since they use OpenSSL 1.0.2.
- VMware appliances are unaffected since they run on Base Operating Systems that use OpenSSL 1.0.2.
- A few VMware products use a vulnerable version of OpenSSL 1.1.1, see section “Potentially Affected Products”.
Unaffected Products
vSECR has completed evaluation of the following products and determined that they do not ship with a vulnerable version of OpenSSL 1.1.1.|
Products |
Version |
Evaluation |
Workaround |
|
VMware ESXi |
Any |
Unaffected |
N/A |
|
VMware vCenter Server |
Any |
Unaffected |
N/A |
|
VMware Horizon DaaS Platform |
Any |
Unaffected |
N/A |
|
VMware NSX for vSphere |
Any |
Unaffected |
N/A |
|
VMware NSX-T |
Any |
Unaffected |
N/A |
|
VMware Skyline Appliance |
Any |
Unaffected |
N/A |
|
VMware Unified Access Gateway |
Any |
Unaffected |
N/A |
|
VMware vCloud Director for Service Providers |
Any |
Unaffected |
N/A |
|
VMware vRealize Log Insight |
Any |
Unaffected |
N/A |
|
VMware vRealize Network Insight |
Any |
Unaffected |
N/A |
|
VMware vRealize Operations |
Any |
Unaffected |
N/A |
|
VMware vRealize Orchestrator |
Any |
Unaffected |
N/A |
|
VMware vSphere Replication |
Any |
Unaffected |
N/A |
| VMware SD-WAN by Velocloud | Any | Unaffected | N/A |
Potentially Affected Products
vSECR has completed evaluation of the following products and determined that they ship with a vulnerable version of OpenSSL 1.1.1. Remediation will be made available in upcoming releases.|
Products |
Version |
Evaluation |
Workaround |
|
VMware HCX |
Any |
Potentially affected |
None |
|
VMware NSX Migration for VMware Cloud Director |
Any |
Potentially affected |
None |
Feedback
Yes
No
Powered by
