Monday, April 21, 2014

Horizon Workspace 1.8.1 and Heartbleed patch

This day and age marks a great new release bound to get techies everywhere a mouth watering treat (no not that one). VMware released a patch for Horizon Workspace bringing the software to version 1.8.1!

Among numerous enhancements and fixes, this patch also includes an update to OpenSSL 1.0.1g which resolves the widespread vulnerability known as the Heartbleed Bug. You can check out the list of fixes in the Release Notes


Alongside this patch, you can apply a Heartbleed-only patch to your vApp if desired. If you're running Horizon Workspace 1.0, you must upgrade to at least version 1.5 to apply the Heartbleed fix manually. Likewise you can apply the Heartbleed fix to Workspace 1.8.0, but if you're taking the time to patch it, you might as well update to 1.8.1. See more info about that patch here: kb.vmware.com/kb/2076551


Applying the Heartbleed-Only fix (updating OpenSSL)


Applying the Heartbleed-only patch from the above KB, you should copy the RPM to somewhere on the Gateway-va (/tmp for example). I like to use WinSCP for copying files to and from my appliances. Then run the RPM and you will see it stop nginx and apply the patch:




You can always check the status of nginx afterward by running /etc/rc.d/nginx status

 

Per the KB, after running the OpenSSL fix you'll want to regenerate your SSL Certs. The steps are slightly different if you terminate SSL at the gateway-va vs a Load Balancer, so be sure to refer to the article.

 

You can find more details on the Heartbleed vulnerability here: www.vmware.com/security/advisories/VMSA-2014-0004.html

 

 

Updating Workspace 1.8.0 to 1.8.1
Be sure to check out the Release Notes


1. Take a snapshot of each appliance and the external DB VM
2. Login to the Configurator as root
3. Run /usr/local/horizon/lib/menu/updatemgr.hzn check and ensure you see the 1.8.1 update, then run /usr/local/horizon/lib/menu/updatemgr.hzn update
4.  Reboot the vApp.
NOTE: If you didn't apply the Heartbleed-specific patch above prior to updating to 1.8.1, then you must generate new SSL Certs and apply them to your gateway-va. See the post-installation steps outlined in kb.vmware.com/kb/2076551

<Screenshots coming soon>


Don't forget to also upgrade your Workspace Clients to 1.8.1!

If you have further queries or concerns about how Heartbleed could affect your Horizon View environment, take a gander at kb.vmware.com/kb/2076796  along with the VMware Security Advisories page.
Share:

Follow by Email