After the Heartbleed bug storm, now there are new possible (serious) problems with a new bug in the Linux and OpenSource world: the Shellshock bug affect lot of Linux systems, in particular the bash (the standard shell on most Linux and also some Unix system).
On Sept 24, 2014, a critical vulnerability in Bash (CVE-2014-6271, CVE-2014-7169) was published that may allow for remote code execution. Use this exploit is quite simple (on affected system), that make this bug really critical.
Major distribution have already realized a new bash version with the required path, but old distros (no more updated) can remain exposed (and could not so easy remove bash because can be used in several scripts).
Has appened with the Heartbleed bug, VMware, about this issue, has published a new KB 2090740: VMware assessment of Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271 CVE-2014-7169, aka “Shellshock”).
VMware ESXi is not affected, but just because bash is not used on it (and on other busybox based system) and actually ash (the small shell used in this systems) is not affected. But note that ESX 4.0 and 4.1 are affected (and maybe it’s time to migrate to ESXi and possible to a new release considering the VMware lifecycle policy).
And also lot of virtual appliances (from this point of view using a virtual appliance it could be cons) that are almost based on SuSE Linux, but there are also some of them based on CentOS and also on old distribution versions.
This is a list of all VMware products that are based on VA or have some VA with Linux that could be affected:
- EVO:RAIL 1.x
- Horizon DaaS Platform 6.x
- Horizon Workspace 1.x, 2.0
- IT Business Management Suite 1.x
- NSX for Multi-Hypervisor 4.x
- NSX for vSphere 6.x
- NVP 3.x
- vCenter Chargeback 2.x (this is reported on the KB, but CMB is a Windows system and I’m not sure that there is really an appliance version)
- vCenter Hyperic Server 5.x
- vCenter Infrastructure Navigator 5.x
- vCenter Log Insight 1.0, 2.0
- vCenter Operations Manager 5.x
- vCenter Orchestrator Appliance 4.x, 5.x
- vCenter Server Appliance 5.x
- vCenter Support Assistant 5.x
- vCloud Automation Center 6.x (vCloud Automation Center 5.x is not a virtual appliance)
- vCloud Automation Center Application Services 6.x
- vCloud Connector 2.x
- vCloud Networking and Security 5.x
- vCloud Usage Meter 3.x
- vFabric Application Director 5.x, 6.x
- vFabric Postgres 9.x
- Viewplanner 3.x
- VMware Application Dependency Planner
- VMware HealthAnalyzer 5.x
- VMware Studio 2.x
- VMware TAM Data Manager
- VMware Workbench 3.x
- vSphere App HA 1.x
- vSphere Big Data Extensions 1.x, 2.x
- vSphere Data Protection 5.x
- vSphere Management Assistant 5.x
- vSphere Replication 5.x
- vSphere Storage Appliance 5.x
Also there is vCloud Director that it’s in a VA only for trial, but anyway is a Linux product and related Linux systems may be affected (anyway a patch for the RedHat system already exists). Also other products that runs on Linux must be considered.
And of course all the IaaS based VMs in case they are Linux/Unix based with an affected version of bash.
About the VMware public cloud based services this is the list reported in the KB:
- AirWatch MDM Cloud Services – Investigation ongoing
- Horizon DaaS – Not affected
- IT Business Management – Bash patches applied Sept 26, 2014
- Socialcast – Bash patches applied Sept 26, 2014
- vCloud Air – Investigation ongoing