Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160
search cancel

Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

book

Article ID: 340288

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

ESXi 5.5 and ESXi 5.5 Update1 hosts require an update to resolve the OpenSSL Heartbleed vulnerability found in the OpenSSL 1.0.1 library.

Apply this patch immediately to update OpenSSL library to fix the critical security vulnerability reported in CVE-2014- 0160. Details on this vulnerability can be found in VMware Security AdvisoryVMSA-2014-0004.

For details on impact of OpenSSL Heartbleed vulnerability on VMware products and portals, see:

Note:
  • It is recommended that you perform Remediation for vCenter Server 5.5 before you perform the steps recommended to remediate ESXi in the following section. See Resolving OpenSSL Heartbleed for vCenter Server 5.5 (2076692).
  • vSAN is not supported on ESXi 5.5 hosts upgraded with VMware ESXi 5.5, Patch Release ESXi550-201404020 as this does not include all bug fixes that were provided with ESXi 5.5 Update 1 including vSAN GA fixes.


Environment

VMware vCenter Server 5.5.x
VMware vSphere ESXi 5.5

Resolution

Two ESXi 5.5 patches have been released to update the OpenSSL library to version 1.0.1g. These updates do not impact the openssl.exe file:

  • VMware ESXi 5.5, Patch Release ESXi550-201404001
    Apply this patch on ESXi 5.5 hosts to resolve all issues fixed in ESXi 5.5 Update 1, and additionally the OpenSSL Heartbleed issue.

    Patch bulletin ESXi550-201404401-SG contains the fix for OpenSSL Heartbleed and some other fixes.
    ONLY ESXi 5.5 Update 1 hosts should be patched with this patch.
    For more information about this patch release, see KB 2076120.

  • VMware ESXi 5.5, Patch Release ESXi550-201404020
    Do not apply this patch to ESXi 5.5 Update 1 hosts. Apply the patch to the following ESXi hosts only:
    • ESXi 5.5.0 hosts
    • ESXi 5.5.0 hosts patched with ESXi550-201312101-SG bulletin
    • ESXi 5.5.0 hosts patched with ESXi550-201312401-BG bulletin
    • ESXi 5.5.0 hosts patched with ESXi550-201403101-SG bulletin
    • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131201001s-standard image profile
    • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131201001s-no-tools image profile
    • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131204001-standard image profile
    • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20131204001-no-tools image profile
    • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20140301001s-standard image profile
    • ESXi 5.5.0 hosts patched with ESXi-5.5.0-20140301001s-no-tools image profile

    Note: After you patch your ESXi 5.5 hosts with VMware ESXi 5.5, Patch Release ESXi550-201404020, do not upgrade your hosts to ESXi 5.5 Update 1 as the hosts will again be vulnerable to the OpenSSL Heartbleed issue.
    After applying VMware ESXi 5.5, Patch Release ESXi550-201404020 on ESXi 5.5 hosts, only patch your systems with VMware ESXi 5.5, Patch Release ESXi550-201404001 to update your hosts with all bug fixes that were provided with ESXi 5.5 Update 1. If you upgrade to ESXi 5.5 Update 1 after applying these patches you will need to apply ESXi550-201404401-SG before regenerating the certificates.

    For more information about this patch release, see KB 2076586.
Caution: When running ESXi 5.5 host with NFS storage, apply patch ESXi550-201404020. If you apply patch ESXi550-201404001 you might encounter issues mentioned in Frequent NFS APDs after upgrading ESXi to 5.5 U1 (KB 2076392).

Installation instructions:

The typical way to apply patches to ESXi hosts is through the VMware Update Manager. For details, see the Installing and Administering VMware vSphere Update Manager.

For ESXi 5.5 Hosts:
Apply Patch Release ESXi550-201404020, and then apply Patch Release ESXi550-201404001

For ESXi 5.5 Update 1 Hosts:
Apply the Patch Bulletin ESXi550-201404401-SG from the Patch Release ESXi550-201404001

Post installation instructions:

After installing the above-mentioned patches accordingly, you need to perform certificate revocation or replacement and change the passwords.

Generate new self-signed certificate
To generate new self-signed certificates, perform the following steps:

Note: If you are booting the hosts through Auto Deploy, remove the existing certificate directories in C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl. You see multiple host-xx directories containing the hostname file, certificate, and key of the ESXi Hosts. Remove these directories and reboot the ESXi hosts against the updated Image Profile to generate new certificates for the hosts.
  1. Log in to the ESXi Shell as a user with administrator privileges.
  2. Run commands cd /etc/vmware/ssl and ls -l
  3. In the directory /etc/vmware/ssl, back up any existing certificate and key to a storage persistent directory (under /vmfs/....).
    For example:

    mv rui.crt /vmfs/volumes/datastore1/orig.rui.crt
    mv rui.key /vmfs/volumes/datastore1/orig.rui.key

  4. Run the command /sbin/generate-certificates to generate new certificates.

    Note:: You might see the following error message:

    WARNING: can't open config file: /usr/ssl/openssl.cnf

    or

    WARNING: can't open config file: /etc/pki/tls/openssl.cnf


    You can ignore this message as the new certificates are generated successfully.
  5. To verify that the host has successfully generated new certificates, run the ls -la command and compare the time stamps of the new certificate files with orig.rui.crt and orig.rui.key
  6. To set the sticky bit back, run the chmod +t rui.crt and chmod +t rui.key commands.
  7. Restart the host.
    Generating the certificates places them in the correct location. Alternatively, you can put the host into maintenance mode, install the new certificate, and then use the Direct Console User Interface (DCUI) to restart the management agents.

    Note: You will need to reconnect to vCenter Server after restarting the Host. When you right-click and select Connect, the following warning message might be displayed:

    Authenticity of the hosts's SSL certificate is not verified.

    Close this message and re-enter the root credentials in the Host Connection wizard to successfully reconnect to the vCenter Server.

You can also configure CA signed certificates for your ESXi 5.5 hosts. For details see Configuring CA signed certificates for ESXi 5.x hosts (2015499).

Change ESXi host root user password
To change the ESXi host root user password, perform the following steps:
  1. Log in to the ESXi host service console as root, either through SSH or the physical console.
    Enter the current root password when prompted.
  2. Change the root password by running the following command:
    passwd root
  3. Enter the new root password, press Enter. Enter the password a second time to verify. ESXi warns you about nonsecure passwords, but does not prevent you from using them.

Note: If the problem persists after completing the steps in this article, file a support request with VMware Support and note this KB article ID (2076665) in the problem description. For more information, see Filing a Support Request in Customer Connect (2006985).

Additional Information

For translated versions of this article, see:
Powered by Wolken Software