VMWare releases first Heartbleed patch

Numerous VMWare products use vulnerable versions of OpenSSL. So far only Horizon Workspace Server has been patched.

VMWare has issued a security advisory (VMSA-2014-0004) listing which of their products are affected by the Heartbleed vulnerability. The advisory also announced one patch that has been released.

A long list of products are listed as affected: vCenter Server, ESXi, VMware Fusion, NSX-MH, NSX-V, NVP, Horizon Mirage Edge Gateway, Horizon View Feature Pack, Horizon View Client, Horizon Workspace Server, Horizon Workspace Client, Horizon Workspace for Macintosh, Horizon Workspace for Windows , OVF Tool, vCloud Networking and Security and vCloud Automation Center (vCAC). Of these, a patch has been released only for Horizon Workspace Server.

An earlier VMWare knowledge base article had listed the affected products, as well as a long list of unaffected VMWare products and services, plus one service — Socialcast — which was patched several days ago.

Users of Horizon Workspace Server 1.0 are advised to upgrade to version 1.5 and to apply the patch horizon-nginx-rpm- Version 1.5 users should apply the same patch. Users of version 1.8 should apply horizon-nginx-rpm-

The advisory also mentions another, lesser vulnerability in one implementation of OpenSSL which is fixed in the new version without specifically saying if VMWare is affected by it.