Portal Home > Knowledgebase > VMware Knowledge Base > OpenSSL security vulnerability with CVE-2009-3555 identifier does not affect vCenter, ESX, and ESXi

OpenSSL security vulnerability with CVE-2009-3555 identifier does not affect vCenter, ESX, and ESXi

Details

vCenter, ESX, and ESXi are not impacted by the OpenSSL security vulnerability in CVE-2009-3555.
 
This issue occurs only when a renegotiation of the SSL session is possible. VMware has reviewed all interfaces where SSL traffic is present and has found that none of them allow renegotiation.
 
This includes:
  • Communication between vCenter (VirtualCenter), vSphere Client (VI Client), ESX, and ESXi
  • OpenSSL functionality of ESX service console as used by ESX
  • VMware CIM APIs providing a Common Information Model (CIM) interface
  • VMware Web Access

Solution

Updating OpenSSL to the version 0.9.8l, which remediates CVE-2009-3555 is not relevant, because VMware products are not affected.

The CVE-2009-3555 vulnerability is explained in http://cvs.openssl.org/getfile?f=openssl/CHANGES&v=OpenSSL_0_9_8l.
For more information, see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555.

Based on VMware KB 1016357

Also Read

Language: