The following is a response to the current situation with the software security vulnerability dubbed Heartbleed:The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation.
VMware plans to release updated products and patches for all affected products in this article by April 19th. Please check this article for any updates or exceptions to this timeframe.
See the lists for affected products, and refer to the Resolution/mitigation section for steps to protect your systems while updates are being prepared.
Resolution/mitigation
By deploying vSphere 5.5 (and other relevant VMware products) on an isolated management network, the exposure to CVE-2014-0160 is reduced. Hosting vSphere components directly on the Internet is strongly discouraged. Virtual machines that are exposed to the Internet should be updated in case they are affected. For the latter, refer to the instructions by the operating system provider.
VMware is working on updating its products to remediate the issue. When software updates for CVE-2014-0160 are available, deployment of these updates should be accompanied by replacing certificates and resetting passwords as per best practices. Instructions on how to do this for each affected product will be provided at the same time updates are released.
New VMware Security Advisory VMSA-2014-0004 (Heartbleed)
New VMware Security Advisory VMSA-2014-0004 (Heartbleed)
