Earlier this year the Heartbleed OpenSSL vulnerability came to light, and many products from many different vendors were affected. Heartbleed is a very serious vulnerability, and you should conduct a thorough audit to validate all of your software and hardware components are not affected. My bet is that many of your product are affected, and VMware was far from alone in having to issue software updates. Fresh off the presses is vCenter 5.5 Update 1b, which addresses CVE-2014-0224, Heartbleed. They have updated their OpenSSL libraries to 0.9.8za, 1.0.0m and 1.0.1h. I find it interesting that all three versions are used within the product.
As usual, this minor update includes some other bug fixes a well and not major new features. Other resolved issues include:
Host profile answer file might not be applied when you reboot the ESXi host
After you restart the vCenter services, if you use Auto Deploy to reboot a stateless ESXi host, the host profile answer file might not be applied to the ESXi host and the host configuration might fail. This issue occurs if the reference host is not available.
Under certain conditions, Virtual SAN storage providers might not be created automatically after you enable Virtual SAN on a cluster
When you enable Virtual SAN on a cluster, Virtual SAN might fail to automatically configure and register storage providers for the hosts in the cluster, even after you perform a resynchronization operation.
As is typical with VMware release notes there is a handy dandy list of known issues, which you should thoroughly read through before deploying this update. A few known issues that jumped out at me include:
- Upgrade from vCenter Single Sign-On 5.1 Update x to 5.5 Update 1a fails if the password set for [email protected] contains double quotation mark (“)
- After you upgrade vCenter Server 4.x to 5.5 Update 1a, vCenter Server is inaccessible through vSphere Web Client (Due to SSL issues)
- Attempts to upgrade from earlier versions of vCenter Single Sign-On 5.5 to 5.5 Update 1a might fail if the Windows Error Reporting Service is disabled
- Installation using Simple Install fails on Windows Server 2008 R2 and Windows 2012 hosts
Given the extreme severity of the Heartbleed issue, this is one security update that I recommend you immediately start testing in your lab environment and roll out into product once you are satisfied that it hasn’t broken anything in your environment. You can find the full release notes here. You can download the updated ISO here.