Yesterday VMware finally released a fix for the nasty NFS bug that was introduced with ESXi 5.5 Update 1. Customers who were waiting to update to U1 because of this bug can now safely update their hosts and will also get protection from the OpenSSL Heartbleed bug.
But there is another reason why you should update your ESXi 5.5 hosts with this patch very soon - even if you are not affected by the NFS bug and have already applied the Heartbleed fix!
The latest ESXi 5.5 patch includes another fix for a new OpenSSL vulerability that may reportedly be even more dangerous than the Heartbleed bug! It is known as CVE-2014-0224 and allows MitM ("Man in the Middle") attacks on SSL-encrypted connections. VMware has been investigating this and a few other new OpenSSL vulnerabilities since they became publicly known on June 5th, and they are documenting their assessment in KB2079783.
I have updated my ESXi 5.x Patch Matrix to include the new patch. And here is the quickest way to get your standalone ESXi hosts updated:
Enable SSH access on your host, log in to it (e.g. using putty) and run the following commands:
# open firewall for outgoing http requests: esxcli network firewall ruleset set -e true -r httpClient # Install the ESXi-5.5.0-20140604001-standard Imageprofile from the VMware Online depot esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140604001-standard # Reboot your host reboot
This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.