vCenter, ESX, and ESXi are not impacted by the OpenSSL security vulnerability in CVE-2009-3555.
This issue occurs only when a renegotiation of the SSL session is possible. VMware has reviewed all interfaces where SSL traffic is present and has found that none of them allow renegotiation.
- Communication between vCenter (VirtualCenter), vSphere Client (VI Client), ESX, and ESXi
- OpenSSL functionality of ESX service console as used by ESX
- VMware CIM APIs providing a Common Information Model (CIM) interface
- VMware Web Access
Updating OpenSSL to the version 0.9.8l, which remediates CVE-2009-3555 is not relevant, because VMware products are not affected.
The CVE-2009-3555 vulnerability is explained in http://cvs.openssl.org/getfile?f=openssl/CHANGES&v=OpenSSL_0_9_8l
For more information, see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555.
Based on VMware KB 1016357