ESXi

Shell Shock ESX4

Is a patch needed? Something in ESX host settings that needs tweaked?

Is this cause for alarm? ( in vmware, anyway.)

:smileyconfused:

Well the KB doesnt mention anything about ESX 4, ESXi is mentioned as not being impacted

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740

Regards

Girish

UPDATE KB

VMware KB: VMware assessment of bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2…

vSphere ESXi Hypervisor

ESXi 5.0 - 5.5 is not affected as it uses the ash shell (through busybox), which is not affected by the vulnerability reported for the bash shell.

still waiting on older versions ??

Hello GoodMorningDave,

This vulnerability is reported to affect every version of Bash since its inception in 1989. Patching and upgrading systems should always be a regular and planned operation for reasons such as this. ESX 4.x might be affected as it uses Bash.

For those of you running VMware, they have posted a blog here, and an advisory here. As things stand if you’re running VMware tools on top of Windows, such as vCenter for example, then you are not vulnerable. Also ESXi is not vulnerable as it uses ash shell via BusyBox instead of Bash. However any virtual appliances may well be vulnerable, including the vCenter Server Appliance. I would recommend keeping and eye on VMware KB 2090740 for the latest updates.

ESX 4 is affected, we tested it yesterday. I raised a call with VMware today but as ESX 4 is End of Life, it does not seem they will be releasing a patch for it. Suggestion was that we upgrade to ESXi 5.0 or newer.

ESX 4u3

I have started the migration to ESXi 5 but its all WIP

Do you have info on ESXi 4.1 ? As the KB article only states esxi 5.x

Thanks

ESX and ESXi 4.x aren't supported anymore, so VMware will probably not list them in the KB article.

That said, ALL ESX (classic) versions are affected because they run a bash shell in the service console OS.

ALL ESXi versions are safe from this vulnerability because they run a busybox ash shell instead.

That's funny. Vmware had not trouble taking $5k for support this year.

General support for 4.x ended 2014/05/21, see: https://www.vmware.com/files/pdf/support/Product-Lifecycle-Matrix.pdf

https://www.vmware.com/support/policies/enterprise-infrastructure/faq

If you still have a valid SnS (aka support and subscription) contract after this date that means while you don't get support, you can upgrade your licenses to 5.x free of charge and automatically get support again once you've upgraded.

From the above mentioned KB..

Note: After careful consideration, VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash Shell vulnerability.  This security patch release is an exception to the existing VMware lifecycle policy. VMware is making this exception because of the reported critical severity of the Bash vulnerability and because the product passed the end of general support within the last four months.  We encourage you to upgrade to our most current releases. The VMware Global Services teams are available to assist you in any way.

Excellent news VMware, thank you

ESX Patches are released for shell shock

ESX400-201410001  - KB 2090851

ESX410-201410001 -  KB 2090856

Thanks