- 1.0.1 through 1.0.1f
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- vFabric Web Server 5.0.x, 5.1.x, 5.2.x, 5.3.x
- vFabric GemFire Native Client 7.0.0.X, 7.0.1.X
- Pivotal GemFire Native Client 7.0.2.X
- Pivotal Command Center 2.0.x, 2.1.x
- Pivotal App Suite Virtual Appliance 184.108.40.206
Users of affected versions should apply the following mitigation:
- vFabric Web Server users (all versions) should apply the patch including version 1.0.1g of OpenSSL per the instructions posted here as soon as possible.
- GemFire Native Client 7.0.X users should immediately upgrade to OpenSSL 1.0.1g or later or recompile their existing OpenSSL 1.0.1 installations with the –DOPENSSL_NO_HEARTBEATS option. See CVE-2014-0160-GemFire-Native-Client for more information.
- Please see this doc for Pivotal Command Center.
- Pivotal App Suite Virtual Appliance 220.127.116.11 users should upgrade to version 18.104.22.168 as soon as possible.
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. The Codenomicon team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to the OpenSSL team.
2014-Apr-7: Initial vulnerability report published.