Among numerous enhancements and fixes, this patch also includes an update to OpenSSL 1.0.1g which resolves the widespread vulnerability known as the Heartbleed Bug. You can check out the list of fixes in the Release Notes
Alongside this patch, you can apply a Heartbleed-only patch to your vApp if desired. If you're running Horizon Workspace 1.0, you must upgrade to at least version 1.5 to apply the Heartbleed fix manually. Likewise you can apply the Heartbleed fix to Workspace 1.8.0, but if you're taking the time to patch it, you might as well update to 1.8.1. See more info about that patch here: kb.vmware.com/kb/2076551
Applying the Heartbleed-Only fix (updating OpenSSL)
Applying the Heartbleed-only patch from the above KB, you should copy the RPM to somewhere on the Gateway-va (/tmp for example). I like to use WinSCP for copying files to and from my appliances. Then run the RPM and you will see it stop nginx and apply the patch:
You can always check the status of nginx afterward by running /etc/rc.d/nginx status
Per the KB, after running the OpenSSL fix you'll want to regenerate your SSL Certs. The steps are slightly different if you terminate SSL at the gateway-va vs a Load Balancer, so be sure to refer to the article.
You can find more details on the Heartbleed vulnerability here: www.vmware.com/security/advisories/VMSA-2014-0004.html
1. Take a snapshot of each appliance and the external DB VM
2. Login to the Configurator as root
3. Run /usr/local/horizon/lib/menu/updatemgr.hzn check and ensure you see the 1.8.1 update, then run /usr/local/horizon/lib/menu/updatemgr.hzn update
4. Reboot the vApp.
NOTE: If you didn't apply the Heartbleed-specific patch above prior to updating to 1.8.1, then you must generate new SSL Certs and apply them to your gateway-va. See the post-installation steps outlined in kb.vmware.com/kb/2076551
<Screenshots coming soon>
2. Login to the Configurator as root
3. Run /usr/local/horizon/lib/menu/updatemgr.hzn check and ensure you see the 1.8.1 update, then run /usr/local/horizon/lib/menu/updatemgr.hzn update
4. Reboot the vApp.
NOTE: If you didn't apply the Heartbleed-specific patch above prior to updating to 1.8.1, then you must generate new SSL Certs and apply them to your gateway-va. See the post-installation steps outlined in kb.vmware.com/kb/2076551
<Screenshots coming soon>
Don't forget to also upgrade your Workspace Clients to 1.8.1!
If you have further queries or concerns about how Heartbleed could affect your Horizon View environment, take a gander at kb.vmware.com/kb/2076796 along with the VMware Security Advisories page.
If you have further queries or concerns about how Heartbleed could affect your Horizon View environment, take a gander at kb.vmware.com/kb/2076796 along with the VMware Security Advisories page.
0 comments:
Post a Comment