CVE-2014-0224 SSL/TLS MITM Vulnerability
Important to Low (see affected Pivotal products for details)
- 0.9.8, 1.0.0, 1.0.1
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
Affected VMware Products and Versions
Severity is important unless otherwise noted.
- vFabric Web Server 5.0.x, 5.1.x, 5.2.x, 5.3.x
- Pivotal Web Server 5.4.0
- Enterprise Ready Server (ERS) 4.x (Severity: Moderate)
- Greenplum Command Center (GPCC) 1.2.2.x
- Greenplum Database (GPDB) 4.3.x, 4.2.x, 4.1.x, 4.0.x
- HAWQ 1.0.x, 1.1.x, 1.2.x
- Pivotal Command Center (PCC) 2.0.x, 2.1.x
- Pivotal Cloud Foundry (PCF) 1.0, 1.1, 1.2 (Severity: Low)
- Pivotal App Suite Virtual Appliance 188.8.131.52, 184.108.40.206
- GemFire Native Client
Users of affected versions should apply the following mitigation:
- vFabric Web Server, Pivotal Web Server and Enterprise Ready Server (all versions) - Pivotal recommends that all ERS httpd, vFabric and Pivotal Web Servers be updated to Pivotal Web Server 5.4.1 or Pivotal Web Server 6.0 to avoid weakened public internet routed traffic from similarly affected user agents. Alternatively, a patch to only the OpenSSL library files shipped with vFabric Web Server releases 5.1.0 through 5.3.4 is available.
- Greenplum Command Center (GPCC) 220.127.116.11 was rebuilt with OpenSSL 1.0.1h and released on Pivotal Network 18-June-2014. GPCC 18.104.22.168 Product and Release Notes files are found on the Pivotal Network Greenplum Database page.
- Greenplum Database (GPDB) was rebuilt with OpenSSL 0.9.8za. GPDB version 22.214.171.124 is released on Pivotal Network 19-June-2014. GPDB version 126.96.36.199 is expected to be released by the end of June 2014. Customers who are on older versions (4.0.x and 4.1.x) are requested to upgrade to either 188.8.131.52 or 184.108.40.206. GPDB version 220.127.116.11 Product and Release Notes files can be found on the Pivotal Network Greenplum Database page.
- HAWQ is being rebuilt with OpenSSL 0.9.8za. HAWQ version 18.104.22.168 is expected to be released the week of June 16. HAWQ version 22.214.171.124 is expected to be released in August 2014.
- Pivotal Command Center (PCC) users should determine if the underlying RedHat Linux or CentOS version is affected and upgrade their OS per instructions to be posted in the Pivotal Command Center documentation (we expect the instructions to be virtually identical to CVE-2014-0160-Advisory-PCC, customers can reference that advisory for interim instructions as needed).
- Pivotal Cloud Foundry (PCF) will have a minor release in early Q3 including stemcells built with updated OpenSSL versions.
- Pivotal App Suite Virtual Appliance (all versions): Pivotal recommends that customers should mitigate the security vulnerability by upgrading libssl and webserver.
- GemFire Native clients on versions 3.6.x and 7.0.x should upgrade their OpenSSL library to the latest version to eliminate the vulnerability discovered in OpenSSL. We have verified that the native client versions will work with the latest OpenSSL libraries and no other software changes are needed.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. This issue was reported to OpenSSSL on 1st May 2014 via JPCERT/CC.
The fix was developed by Stephen Henson of the OpenSSL core team partly base on an original patch from KIKUCHI Masashi.