Home > Blogs > VMware Security & Compliance Blog

Recent OpenSSL Website Defacement

VMware is aware of suggestions that the recent defacement of the OpenSSL Foundation website (http://www.openssl.org/news/secadv_hack.txt) may be as a result of a hypervisor compromise.

The VMware Security Response Center has actively investigated this incident with both the OpenSSL Foundation and their Hosting Provider in order to understand whether VMware products are implicated and whether VMware needs to take any action to ensure customer safety.

We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.

VMware recommends the use of vCloud Director in deployment scenarios that require secure Internet facing access to Virtual Center and ESXi. In the event that Virtual Center is directly Internet facing VMware recommends customers remain current with patches and updates and that they follow the best practices in the vSphere Security Hardening guides https://www.vmware.com/support/support-resources/hardening-guides.html.

Updated: January 3, 2014

OpenSSL updated their advisory at¬†http://www.openssl.org/news/secadv_hack.txt to confirm that their understanding of the cause of this incident is the same as VMware’s. The VMware Security Response Center would like to thank their colleagues in the OpenSSL Security Team for their timely collaboration in understanding this incident further.


This entry was posted in VMware Security Response Center on by .

About Iain Mulholland

Senior Director, Product Security @ Vmware

7 thoughts on “Recent OpenSSL Website Defacement

  1. Pingback: OpenSSL site defacement involving hypervisor hack rattles nerves (updated) | Gizmo Envy

  2. Simon

    This post needs much more detail to calm customer nerves. Can you please be explicit about what the ‘operational security error’ was? Linking to a generic hardening guide is not helpful, I want to know exactly what the problem was, and how it can be avoided. More technical details please.

  3. Mark Cox

    see updated statement at http://www.openssl.org/news/secadv_hack.txt (“bad passwords on ISP hypervisor management interface”)

  4. Pingback: OpenSSL Says Breach Did Not Involve Corrupted Hypervisor – InformationWeek | EikAwaz.com

  5. Pingback: OpenSSL Says Breach Did Not Involve Corrupted Hypervisor – InformationWeek | Top Breaking News

  6. Pingback: OpenSSL hack reveals urgent need to beef up Internet security – Tech Times | Top Breaking News

  7. Pingback: The Ship Show | Infrastructure As A Service… You’re Responsible For

Comments are closed.