Home > Blogs > VMware vCloud Blog


OVF upload browser plug-in vulnerability

As VMware previously noted in KB 2076225, a component called ovftool is vulnerable to the Heartbleed OpenSSL bug. This tool is included in a browser plug-in used to upload OVF files (virtual machines) to vCloud Director 5.6, as used in vCloud Hybrid Service (vCHS). The affected component, the “VMware Client integration plug in 5.5”, can be downloaded if you choose to directly upload an OVF file using the vCloud Director user interface.

To remediate, close your browser and uninstall the plug-in. The next time you elect to upload an OVF file directly to vCloud Director web interface in vCHS, you can download and install the patched version of the plug-in.

Previous versions are not affected. Other forms of OVF transfer such as vCloud Connector and API uploads are not vulnerable, and the vCHS service itself is also not vulnerable.

A successful attacker could read sections of process memory, potentially revealing sensitive information. It is difficult for an attacker to exploit this vulnerability, as it requires a sophisticated attack on the client and a compromised network.

For additional information about Heartbleed and VMware products and services, please see KB 2076225