Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
On Sept 24, 2014, a critical vulnerability in Bash (CVE-2014-6271, CVE-2014-7169) was published that may allow for remote code execution. This was followed by more reports on vulnerabilities in Bash, which are identified by CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact these vulnerabilities may have on VMware products. The assessment has resulted in the release of updated versions or patches for VMware products as documented in the next section.Note: For information regarding VMware customer portals and web sites, see Impact of bash code injection vulnerability on VMware Customer Portals and web sites (CVE-2014-6271 and CVE-2014-7169, aka "shellshock") (2090817).
Products vSphere ESXi/ESX HypervisorESXi 4.0, 4.1, 5.0, 5.1, and 5.5 are not affected because these versions use the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.ESX 4.0 and 4.1 have a vulnerable version of the Bash shell. See VMSA-2014-0010 for remediation details for ESX 4.0 and ESX 4.1.Note: After careful consideration, VMware has made VMware ESX 4.0 and 4.1 security patches available for the Bash Shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. VMware is making this exception because of the reported critical severity of the Bash vulnerability and because the product passed the end of general support within the last four months. We encourage all customers to upgrade to VMware's most current releases. The VMware Global Services teams are available to assist customers in any way.The Cisco Nexus 1000V Virtual Ethernet Module (VEM) for ESXi is not affected by the base vulnerability. For the status of the Cisco Nexus 1000V Virtual Supervisor Module (VSM), see the: Cisco Bash Security Advisory Cisco Bug ID CSCur04438 Products that run on WindowsWindows-based products, including all versions of vCenter Server running on Windows, are not affected. Products that are shipped as a virtual appliance or as an applianceThe (virtual) appliances listed below ship with an affected version of Bash. While VMware has not demonstrated that the Bash vulnerability can be leveraged on these appliances, VMware is taking the cautionary measure of re-releasing them.VMware Security Advisory VMSA-2014-0010 contains current patch or update information. For several products, both a patch and a product update are available. In general, if a patch is made available, the patch must be applied to the latest version of the appliance. Customers should refer to the specific product Knowledge Base articles listed in VMSA-2014-0010 to understand the type of remediation available and applicable appliance version numbers.VMware (Virtual) Appliances</u> EVO:RAIL 1.0 (EVO:Rail ships with vCenter Server Appliance and vRealize Log Insight (formerly known as vCenter Log Insight) and will be re-released with updated versions of these appliances) (See VMware Knowledge Base article EVO:RAIL 1.0 Patch Release for Shell Shock Vulnerability (2091654) for remediation details) Horizon DaaS Platform 6.x (See VMSA-2014-0010 for remediation details) Horizon Workspace 1.x, 2.x. (See VMSA-2014-0010 for remediation details) vRealize Business Advanced and Enterprise (formerly known as IT Business Management) 1.x (See VMSA-2014-0010 for remediation details) NSX for Multi-Hypervisor 4.x (See VMSA-2014-0010 for remediation details) NSX for vSphere 6.x (See VMSA-2014-0010 for remediation details) NVP 3.x (See VMSA-2014-0010 for remediation details) vCenter Application Discovery Manager 7.x (See VMSA-2014-0010 for remediation details) vCenter Converter Standalone 5.x (vCenter Converter Standalone is not a Virtual Appliance but includes a vulnerable version of bash) (See VMSA-2014-0010 for remediation details) vRealize Hyperic (formerly known as vCenter Hyperic) 5.x (See VMSA-2014-0010 for remediation details) vRealize Infrastructure Navigator (formerly known as vCenter Infrastructure Navigator) 5.x (See VMSA-2014-0010 for remediation details) vRealize Log Insight (formerly known as vCenter log Insight) 1.0, 2.0 (See VMSA-2014-0010 for remediation details) vRealize Operations Manager (formerly known as vCenter Operations Manager) 5.x (See VMSA-2014-0010 for remediation details) vRealize Orchestrator Appliance (formerly known as vCenter Orchestrator Appliance) 4.x, 5.x (See VMSA-2014-0010 for remediation details) vCenter Server Appliance 5.x (See VMSA-2014-0010 for remediation details) vCenter Site Recovery Manager 5.x (vCenter Site Recovery Manager ships with vSphere Replication and will be re-released with an updated version of this appliance) (See VMSA-2014-0010 for remediation details) vCenter Support Assistant 5.x (See VMSA-2014-0010 for remediation details) vRealize Application Services (formerly known as vCloud Application Director) 5.x, 6.x (aka vFabric Application Director) (See VMSA-2014-0010 for remediation details) vRealize Automation (formerly known as vCloud Automation Center) 6.x (Note: vRealize Automation 5.x is not a virtual appliance) (See VMSA-2014-0010 for remediation details) vCenter Automation Center Application Services 6.x (See VMSA-2014-0010 for remediation details) vCloud Director 5.x Appliance (See VMSA-2014-0010 for remediation details) vCloud Connector 2.x (See VMSA-2014-0010 for remediation details) vCloud Networking and Security 5.x (aka VMware Shield 5.x) (See VMSA-2014-0010 for remediation details) vCloud Usage Meter 3.x (See VMSA-2014-0010 for remediation details) vFabric Postgres 9.x (See VMSA-2014-0010 for remediation details) Viewplanner 3.x (See VMSA-2014-0010 for remediation details) VMware Application Dependency Planner (See VMSA-2014-0010 for remediation details) VMware Data Recovery 2.x (See VMSA-2014-0010 for remediation details) VMware HealthAnalyzer 5.x (See VMSA-2014-0010 for remediation details) VMware Mirage Gateway 5.x (See VMSA-2014-0010 for remediation details) VMware Socialcast On Premise 2.x (See VMSA-2014-0010 for remediation details) VMware Studio 2.x (See VMSA-2014-0010 for remediation details) VMware Workbench 3.x (See VMSA-2014-0010 for remediation details) vSphere App HA 1.x (See VMSA-2014-0010 for remediation details) vSphere Big Data Extensions 1.x, 2.x (See VMSA-2014-0010 for remediation details) vSphere Data Protection 5.x (See VMSA-2014-0010 for remediation details) vSphere Management Assistant 5.x (See VMSA-2014-0010 for remediation details) vSphere Replication 5.x (See VMSA-2014-0010 for remediation details) vSphere Storage Appliance 5.x (See VMSA-2014-0010 for remediation details)Important: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances)Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. In case the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.Examples of products in this category include VMware Workstation, VMware Fusion, and AirWatch MDM software. Services AirWatch MDM Cloud Services – At this time, VMware has no evidence that the Bash code injection vulnerability has been exploited in the service. Horizon DaaS – Not affected vRealize Business Advanced and Enterprise (formerly known as IT Business Management) – Bash patches applied Sept 26, 2014 Socialcast – Bash patches applied Sept 26, 2014 vCloud Air – At this time, VMware has no evidence that the Bash code injection vulnerability has been exploited in the service. We realize many vCloud Air customers have customized environments, which may contain vulnerable Linux Virtual machines. VMware recommends customers evaluate their individual environments and patch any vulnerable virtual machines.
To be alerted when this document is updated, click the Subscribe to Article link in the Actions box Impact of bash code injection vulnerability on VMware Customer Portals and web sites (CVE-2014-6271 and CVE-2014-7169, aka "shellshock")特殊な細工がされた環境変数による Bash のコード インジェクションの脆弱性に対する VMware の修正(CVE-2014-6271、CVE-2014-7169、CVE-2014-7186、CVE-2014-7187、CVE-2014-6277、CVE-2014-6278、別名「Shellshock」)VMware 修复:通过特别编写的环境变量实现的 bash 代码植入漏洞(CVE-2014-6271、CVE-2014-7169、CVE-2014-7186、CVE-2014-7187、CVE- 2014-6277、CVE-2014-6278,通称“shellshock”) Remediating steps on critical updates to VMware Horizon Workspace and Workspace Portal server regarding ShellshockEVO:RAIL 1.0 Patch Release for Shell Shock Vulnerability