Update on Openssl.org breach from VMware

Earlier today I published a blog post entitled Openssl.org breached via…the provider’s hypervisor? Luckily, Iain Mulholland, a “Software Security Guy at VMware” reached out to me via Twitter.

In his tweet (shown above) Ian pointed me at a VMware blog post that contradicts the Openssl.org communicated breach vector. In the post, VMware states:

The VMware Security Response Center has actively investigated this incident with both the OpenSSL Foundation and their Hosting Provider in order to understand whether VMware products are implicated and whether VMware needs to take any action to ensure customer safety.

We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.

So it looks like we’re not talking about a hypervisor-popping or virtualization container-breaking 0day after all.

Based on the disclosures by both involved vendors, I’m leaning towards the VMware account at this time. However, I reserve the right to flip-flop back as new information is made available 🙂

Scroll to top