VMware reveals 27-patch Heartbleed fix plan VMware has confirmed that 27 of its products need patches for the Heartbleed bug. The bad news is that Virtzilla says it “expects to have updated products and patches for all affected products … by April 19th.” The 19th is Saturday. Easter Saturday. The previous day is Good Friday, a public holiday in the UK, Canada, …
I think Australia's 19th is the day before the California 19th because of the International Dateline. So they will drug into the office on Easter Sunday if the release is early enough... otherwise, on Monday while everybody else does it on Sunday.
Oh.. an you poor guys in the UK... midnight call in.
running the workarounds you've implemented when you found out you were vulnerable
History suggests that many still don't know, and probably won't realize even when they get the patch (which they will ignore). There are too many underskilled/overworked/alienated to the point of not caring sysadmins out there to ensure that this issue will not be fixed quickly.
Weighing in because I breathed a heavy sigh of relief when I remembered we were using ESXi 5.1 (which used ye olde OpenSSL 0.9.8) - all of the traffic between the various VMware nodes and subsystems is governed by TLS with subsequent SSL certs. Generating the requests and the certs for all of these took a helluva long time; I was the poor sod who did it before they brought out their semi-automatic cert request generator (which still had to be manually submitted to the CA one by one). My doco on the process comprises about 1500 words (not including things like file locations and config values) and about 50 screenshots.
So it's not so much the pain of having things break that many admins will be worried about - it'll be revoking and replacing all those bloody certs across the entire infrastructure which will involve making the services unavailable for the duration. From what I've read about there's still no fully automated method in ESXi 5.5; whilst it might not be as hairy as 5.1 (and TBH it still looks like it is) it'll still take a looong time.
Start reading here http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-5-ssl-deep.html if you want to see how painful the SSL process is, and then remember that there's plenty of places that aren't allowed to use third-party scripting to do this either and must only use vendor-supplied tools.
Apparently "virtually anything is possible" except getting critical vulnerabilities patched in less than two weeks. At least when open source finds out they've screwed up there's a fix out within hours or days.
Thumbs up to both tirk and Fatman for pointing out what's obvious to the many who are now beyond burn-out after a decade of "more with less".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
