On Monday, a serious vulnerability in some commonly used versions of the OpenSSL library was published that allows attackers to compromise an SSL or TLS endpoint (CVE-2014-0160 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160). This is also known as the “Heartbleed bug” and has attracted considerable attention due to its seriousness and because the library is embedded in many applications and operating systems.
VMware has reviewed the use of the OpenSSL libraries deployed within vCloud Hybrid Service, including the service APIs and the load balancing service, and the service is not affected by this vulnerability.
As the affected OpenSSL library versions are included in many operating systems and applications, we strongly encourage customers to review their virtual machine configurations and apply the appropriate patched versions of OpenSSL if necessary.
For the results of VMware’s ongoing investigation into the Heartbleed OpenSSL issue, please visit VMware Knowledge Base article 2076225.