Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

VMware remediation of Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278, aka "Shellshock") (2090740)

Purpose

On Sept 24, 2014, a critical vulnerability in Bash (CVE-2014-6271, CVE-2014-7169) was published that may allow for remote code execution. This was followed by more reports on vulnerabilities in Bash, which are identified by CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.

The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact these vulnerabilities may have on VMware products. The assessment has resulted in the release of updated versions or patches for VMware products as documented in the next section.

Note: For information regarding VMware customer portals and web sites, see Impact of bash code injection vulnerability on VMware Customer Portals and web sites (CVE-2014-6271 and CVE-2014-7169, aka "shellshock") (2090817).

Resolution

Products

  • vSphere ESXi/ESX Hypervisor
    ESXi 4.0, 4.1, 5.0, 5.1, and 5.5 are not affected because these versions use the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.

    ESX 4.0 and 4.1 have a vulnerable version of the Bash shell. See VMSA-2014-0010 for remediation details for ESX 4.0 and ESX 4.1.

    Note: After careful consideration, VMware has made VMware ESX 4.0 and 4.1 security patches available for the Bash Shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. VMware is making this exception because of the reported critical severity of the Bash vulnerability and because the product passed the end of general support within the last four months. We encourage all customers to upgrade to VMware's most current releases. The VMware Global Services teams are available to assist customers in any way.

    The Cisco Nexus 1000V Virtual Ethernet Module (VEM) for ESXi is not affected by the base vulnerability. For the status of the Cisco Nexus 1000V Virtual Supervisor Module (VSM), see the:

  • Products that run on Windows
    Windows-based products, including all versions of vCenter Server running on Windows, are not affected.

  • Products that are shipped as a virtual appliance or as an appliance
    The (virtual) appliances listed below ship with an affected version of Bash. While VMware has not demonstrated that the Bash vulnerability can be leveraged on these appliances, VMware is taking the cautionary measure of re-releasing them.

    VMware Security Advisory VMSA-2014-0010 contains current patch or update information. For several products, both a patch and a product update are available. In general, if a patch is  made available, the patch must be applied to the latest version of the appliance.

    Customers should refer to the specific product Knowledge Base articles listed in VMSA-2014-0010 to understand the type of remediation available and applicable appliance version numbers.

    VMware (Virtual) Appliances
    • EVO:RAIL 1.0 (EVO:Rail ships with vCenter Server Appliance and vRealize Log Insight (formerly known as vCenter Log Insight) and will be re-released with updated versions of these appliances) (See VMware Knowledge Base article EVO:RAIL 1.0 Patch Release for Shell Shock Vulnerability (2091654) for remediation details)
    • Horizon DaaS Platform 6.x (See VMSA-2014-0010 for remediation details)
    • Horizon Workspace 1.x, 2.x. (See VMSA-2014-0010 for remediation details)
    • vRealize Business Advanced and Enterprise (formerly known as IT Business Management) 1.x (See VMSA-2014-0010 for remediation details)
    • NSX for Multi-Hypervisor 4.x (See VMSA-2014-0010 for remediation details)
    • NSX for vSphere 6.x (See VMSA-2014-0010 for remediation details)
    • NVP 3.x (See VMSA-2014-0010 for remediation details)
    • vCenter Application Discovery Manager 7.x (See VMSA-2014-0010 for remediation details) 
    • vCenter Converter Standalone 5.x (vCenter Converter Standalone is not a Virtual Appliance but includes a vulnerable version of bash) (See VMSA-2014-0010 for remediation details)
    • vRealize Hyperic (formerly known as vCenter Hyperic) 5.x (See VMSA-2014-0010 for remediation details)
    • vRealize Infrastructure Navigator (formerly known as vCenter Infrastructure Navigator) 5.x (See VMSA-2014-0010 for remediation details)
    • vRealize Log Insight (formerly known as vCenter log Insight) 1.0, 2.0 (See VMSA-2014-0010 for remediation details)
    • vRealize Operations Manager (formerly known as vCenter Operations Manager) 5.x (See VMSA-2014-0010 for remediation details)
    • vRealize Orchestrator Appliance (formerly known as vCenter Orchestrator Appliance) 4.x, 5.x (See VMSA-2014-0010 for remediation details)
    • vCenter Server Appliance 5.x (See VMSA-2014-0010 for remediation details)
    • vCenter Site Recovery Manager 5.x (vCenter Site Recovery Manager ships with vSphere Replication and will be re-released with an updated version of this appliance) (See VMSA-2014-0010 for remediation details)
    • vCenter Support Assistant 5.x (See VMSA-2014-0010 for remediation details)
    • vRealize Application Services (formerly known as vCloud Application Director) 5.x, 6.x (aka vFabric Application Director) (See VMSA-2014-0010 for remediation details)
    • vRealize Automation (formerly known as vCloud Automation Center) 6.x (Note: vRealize Automation 5.x is not a virtual appliance) (See VMSA-2014-0010 for remediation details)
    • vCenter Automation Center Application Services 6.x (See VMSA-2014-0010 for remediation details)
    • vCloud Director 5.x Appliance (See VMSA-2014-0010 for remediation details)
    • vCloud Connector 2.x (See VMSA-2014-0010 for remediation details)
    • vCloud Networking and Security 5.x (aka VMware Shield 5.x) (See VMSA-2014-0010 for remediation details)
    • vCloud Usage Meter 3.x (See VMSA-2014-0010 for remediation details)
    • vFabric Postgres 9.x (See VMSA-2014-0010 for remediation details)
    • Viewplanner 3.x (See VMSA-2014-0010 for remediation details)
    • VMware Application Dependency Planner (See VMSA-2014-0010 for remediation details)
    • VMware Data Recovery 2.x (See VMSA-2014-0010 for remediation details)
    • VMware HealthAnalyzer 5.x (See VMSA-2014-0010 for remediation details)
    • VMware Mirage Gateway 5.x (See VMSA-2014-0010 for remediation details)
    • VMware Socialcast On Premise 2.x (See VMSA-2014-0010 for remediation details)
    • VMware Studio 2.x (See VMSA-2014-0010 for remediation details)
    • VMware Workbench 3.x (See VMSA-2014-0010 for remediation details) 
    • vSphere App HA 1.x (See VMSA-2014-0010 for remediation details)
    • vSphere Big Data Extensions 1.x, 2.x (See VMSA-2014-0010 for remediation details)
    • vSphere Data Protection 5.x (See VMSA-2014-0010 for remediation details)
    • vSphere Management Assistant 5.x (See VMSA-2014-0010 for remediation details)
    • vSphere Replication 5.x (See VMSA-2014-0010 for remediation details)
    • vSphere Storage Appliance 5.x (See VMSA-2014-0010 for remediation details)

    Important: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances.

  • Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances)
    Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. In case the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.

    Examples of products in this category include VMware Workstation, VMware Fusion, and AirWatch MDM software.

Services

  • AirWatch MDM Cloud Services – At this time, VMware has no evidence that the Bash code injection vulnerability has been exploited in the service.
  • Horizon DaaS – Not affected
  • vRealize Business Advanced and Enterprise (formerly known as IT Business Management) – Bash patches applied Sept 26, 2014
  • Socialcast – Bash patches applied Sept 26, 2014
  • vCloud Air – At this time, VMware has no evidence that the Bash code injection vulnerability has been exploited in the service. We realize many vCloud Air customers have customized environments, which may contain vulnerable Linux Virtual machines. VMware recommends customers evaluate their individual environments and patch any vulnerable virtual machines.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Update History

09/26/2014 - Added Virtual Appliance info 09/27/2014 - Updated list of affected virtual appliances, affected ESXi and ESX versions, affected services, and added guidance 09/29/2014 - Added new CVEs and updated affected products and services; updated AirWatch MDM Cloud Services info 09/30/2014 - Added patch information 10/01/2014 - Added patch information 10/03/2014 - Added patch information 10/04/2014 - Added patch information 10/05/2014 - Added patch information 10/06/2014 - Added patch information 10/07/2014 - Added patch information

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 114 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 114 Ratings
Actions
KB: