[Last Update April 19, 2014 - Patches available]

There are a lot of news according to the recently published OpenSSL vulnerability. The bug, also known as "Heartbleed", allows attackers to steal informations that are protected by the SSL/TLS encryption.

Is VMware ESXi and the vCenter affected?

There is currently no official statement from VMware regarding this issue. After some research I found affected versions im VMware products. Here are my findings:

The affected versions are OpenSSL 1.0.1 through 1.0.1f.

Likely Affected

VMware ESXi 5.5 (GA and U1)

~ # openssl version OpenSSL 1.0.1e 11 Feb 2013 ~ # vmware --version VMware ESXi 5.5.0 build-1623387

According to this, ESXi 5.5 is vulnerable. The test scrips available here also reports ESXi 5.5 hosts to be affected.

Possibly Affected

VMware vCenter Server 5.5

I could find an affected binary of OpenSSL in the vCenter Server 5.5 directory but it is actually not in use by any services. So I assume the vCenter to be safe. I've also tested various scripts and did not get a positive response.

Not Affected

VMware ESXi 5.1

VMware ESXi 5.0

VMware ESXi 4.1

VMware ESXi 5.0

All these products are using an older and not affected version of OpenSSL (OpenSSL 0.9.8).

References

[Update] VMware published KB2076225 regarding this issue

[Update] VMware has confirmed these products to be affected:



ESXi 5.5

NSX-MH 4.x

NSX-V 6.0.x

NVP 3.x

vCenter Server 5.5

vFabric Web Server 5.0.x – 5.3.x

VMware Fusion 6.0.x

VMware Horizon Mirage Edge Gateway 4.4.x

VMware Horizon View 5.3 Feature Pack 1

VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x

VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x

VMware Horizon View Client for Windows 2.3.x

VMware Horizon Workspace 1.0

VMware Horizon Workspace 1.5

VMware Horizon Workspace 1.8

VMware Horizon Workspace Client for Macintosh 1.5.1

VMware Horizon Workspace Client for Macintosh 1.5.2

VMware Horizon Workspace Client for Windows 1.5.1

VMware Horizon Workspace Client for Windows 1.5.2

VMware Horizon Workspace for Macintosh 1.8

VMware Horizon Workspace for Windows 1.8

VMware OVF Tool 3.5.0

VMware vCloud Automation Center (vCAC) 6.x

VMware vCloud Networking and Security (vCNS) 5.1.3

VMware vCloud Networking and Security (vCNS) 5.5.1

[Update] VMware pusblished a Security Advisory