Does VMware Products are affected by “Shellshock” Bash Vulnerability ?

Posted by on in | 2092 Views | 1 Response

You might have heard above the Bash ShellShock Vulnerability from few days back. It is really more vulnerable than Heartbleed because Heartbleed was all about sniffing the system memory but Shellshock has opened the door so widely by allowing attackers can take the system control remotely. Millions of computers are using bash shell (command interpreter ). New security flaw has been found on bash(Bash Code Injection Vulnerability (CVE-2014-6271 & CVE-2014-7169) BASH(Bourne-Again SHell) is the default shell in all the Linux flavors(Redhat Linux,Open SUSE,Ubuntu etc.. Some of the other operating systems also shipped with bash shell but not a default shell. Almost all the vendors are in process of releasing the Patches for the Bash ShellShock vulnerability. As It’s already a question raised whether VMware Products are affected?. Please find the update from VMware about the Bash Code (ShellShock) Injection Vulnerability.

bash-shellshock

VMware Products:

  • vSphere ESXi/ESX Hypervisor

    ESXi 4.0, 4.1, 5.0, 5.1, and 5.5 are not affected because these versions use the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.

    ESX 4.0 and 4.1 have a vulnerable version of the Bash shell.

    Note: After careful consideration, VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash Shell vulnerability.  This security patch release is an exception to the existing VMware lifecycle policy. VMware is making this exception because of the reported critical severity of the Bash vulnerability and because the product passed the end of general support within the last four months.  We encourage you to upgrade to our most current releases. The VMware Global Services teams are available to assist you in any way.

  • Products that run on Windows

    Windows-based products, including all versions of vCenter Server running on Windows, are not affected.

  • Products that are shipped as a virtual appliance or as an appliance

    The (virtual) appliances listed below ship with an affected version of Bash. While VMware has not demonstrated that the Bash vulnerability can be leveraged on these appliances, VMware will take the cautionary measure of re-releasing them.

    VMware (Virtual) Appliances

    • EVO:RAIL 1.x
    • Horizon DaaS Platform 6.x
    • Horizon Workspace 1.x, 2.0
    • IT Business Management Suite 1.x
    • NSX for Multi-Hypervisor 4.x
    • NSX for vSphere 6.x
    • NVP 3.x
    • vCenter Chargeback 2.x
    • vCenter Hyperic Server 5.x
    • vCenter Infrastructure Navigator 5.x
    • vCenter Log Insight 1.0, 2.0
    • vCenter Operations Manager 5.x
    • vCenter Orchestrator Appliance 4.x, 5.x
    • vCenter Server Appliance 5.x
    • vCenter Support Assistant 5.x
    • vCloud Automation Center 6.x Note: vCloud Automation Center 5.x is not a virtual appliance
    • vCloud Automation Center Application Services 6.x
    • vCloud Connector 2.x
    • vCloud Networking and Security 5.x
    • vCloud Usage Meter 3.x
    • vFabric Application Director 5.x, 6.x
    • vFabric Postgres 9.x
    • Viewplanner 3.x
    • VMware Application Dependency Planner
    • VMware HealthAnalyzer 5.x
    • VMware Studio 2.x
    • VMware TAM Data Manager
    • VMware Workbench 3.x
    • vSphere App HA 1.x
    • vSphere Big Data Extensions 1.x, 2.x
    • vSphere Data Protection 5.x
    • vSphere Management Assistant 5.x
    • vSphere Replication 5.x
    • vSphere Storage Appliance 5.x

    Important: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances.

  • Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances)
    Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. In case the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.Examples of products in this category include VMware Workstation, VMware Fusion, and AirWatch MDM software.

For more information, Please take a look at the VMware KB Article 2090740. I hope this is really informative for you. Stay tuned to get more information about the patch release on Bash Vulnerability from affected products. I hope this is informative for you. Thanks for Reading!!. Be Social and share it in social media, if you feel worth sharing it.