Our current vCenter 6.2 is running with OpenSSL 1.0.1p 9 Jul 2015,
CVE-2016-2107 (OpenSSL advisory) [High severity] 3rd May 2016:
A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.
This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169).
The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes.
But it no longer checked that there was enough data to have both the MAC and padding bytes. Reported by Juraj Somorovsky on 13th April 2016.
Fixed in OpenSSL 1.0.1t (Affected 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.2h (Affected 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
How do I update to 1.0.1t? Is there any fix from vmware?