VMware has confirmed that 27 of its products need patches for the Heartbleed bug. The bad news is that Virtzilla says it “expects to have updated products and patches for all affected products … by April 19th.” The 19th is Saturday. Easter Saturday. The previous day is Good Friday, a public holiday in the UK, Canada, Australia …
I think Australia's 19th is the day before the California 19th because of the International Dateline. So they will drug into the office on Easter Sunday if the release is early enough... otherwise, on Monday while everybody else does it on Sunday.
Oh.. an you poor guys in the UK... midnight call in.
Why would you want to install the update straight away? A few days running the workarounds you've implemented when you found out you were vulnerable won't hurt will they? Allows someone else to experience the pain of any issues created by the updates..
running the workarounds you've implemented when you found out you were vulnerable
History suggests that many still don't know, and probably won't realize even when they get the patch (which they will ignore). There are too many underskilled/overworked/alienated to the point of not caring sysadmins out there to ensure that this issue will not be fixed quickly.
Weighing in because I breathed a heavy sigh of relief when I remembered we were using ESXi 5.1 (which used ye olde OpenSSL 0.9.8) - all of the traffic between the various VMware nodes and subsystems is governed by TLS with subsequent SSL certs. Generating the requests and the certs for all of these took a helluva long time; I was the poor sod who did it before they brought out their semi-automatic cert request generator (which still had to be manually submitted to the CA one by one). My doco on the process comprises about 1500 words (not including things like file locations and config values) and about 50 screenshots.
So it's not so much the pain of having things break that many admins will be worried about - it'll be revoking and replacing all those bloody certs across the entire infrastructure which will involve making the services unavailable for the duration. From what I've read about there's still no fully automated method in ESXi 5.5; whilst it might not be as hairy as 5.1 (and TBH it still looks like it is) it'll still take a looong time.
Start reading here http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-5-ssl-deep.html if you want to see how painful the SSL process is, and then remember that there's plenty of places that aren't allowed to use third-party scripting to do this either and must only use vendor-supplied tools.
Re: running workarounds
There are too many
underskilled/ overworked /alienated (by manglement's insistence to do more with less to the point of not caring) sysadmins out there to ensure that this issue will not be fixed quickly.
A slight semantic difference, but, still,
No. Piss off. We work too much already. I'm having a holiday. And my phone will be OFF.
another set of bugs that don't affect me. ESX (yes I don't like the thin hypervisor) 4.1 and vCenter 5.0 baby(KB says both not affected).
on top of that Netscaler fronts all of my linux boxes so no issues there either.
this heartbleed thing is much to do about nothin for me.
APRIL 19? REALLY?
Apparently "virtually anything is possible" except getting critical vulnerabilities patched in less than two weeks. At least when open source finds out they've screwed up there's a fix out within hours or days.
Thumbs up to both tirk and Fatman for pointing out what's obvious to the many who are now beyond burn-out after a decade of "more with less".
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Product round-up The Glorious Resolution: Feast your eyes on 5 HiDPI laptops