VMware Cloud Community
GoodMorningDave
Enthusiast
Enthusiast

Shell Shock ESX4 vCenter5

Shell Shock ESX4

Is a patch needed? Something in ESX host settings that needs tweaked?

Is this cause for alarm? ( in vmware, anyway.)

:smileyconfused:

Tags (4)
12 Replies
raog
Expert
Expert

Well the KB doesnt mention anything about ESX 4, ESXi is mentioned as not being impacted

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=209074...

Regards

Girish

To Virtualization and beyond! PS::If you felt the answer as helpful, please mark it as helpful/answered so that it helps other users as well! Blog:: www.virtualtipsntricks.com
Viqsye
Contributor
Contributor

UPDATE KB

VMware KB: VMware assessment of bash Code Injection Vulnerability via Specially Crafted Environment ...

vSphere ESXi Hypervisor

ESXi 5.0 - 5.5 is not affected as it uses the ash shell (through busybox), which is not affected by the vulnerability reported for the bash shell.


still waiting on older versions ??

Reply
0 Kudos
vuzzini
Enthusiast
Enthusiast

Hello GoodMorningDave,

This vulnerability is reported to affect every version of Bash since its inception in 1989. Patching and upgrading systems should always be a regular and planned operation for reasons such as this. ESX 4.x might be affected as it uses Bash.

For those of you running VMware, they have posted a blog here, and an advisory here. As things stand if you’re running VMware tools on top of Windows, such as vCenter for example, then you are not vulnerable. Also ESXi is not vulnerable as it uses ash shell via BusyBox instead of Bash. However any virtual appliances may well be vulnerable, including the vCenter Server Appliance. I would recommend keeping and eye on VMware KB 2090740 for the latest updates.

If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points. Sandeep Vuzzini Sr. DevOps Engineer
railroadmanuk
Contributor
Contributor

ESX 4 is affected, we tested it yesterday. I raised a call with VMware today but as ESX 4 is End of Life, it does not seem they will be releasing a patch for it. Suggestion was that we upgrade to ESXi 5.0 or newer.

GoodMorningDave
Enthusiast
Enthusiast

ESX 4u3

I have started the migration to ESXi 5 but its all WIP

Reply
0 Kudos
Viqsye
Contributor
Contributor

Do you have info on ESXi 4.1 ? As the KB article only states esxi 5.x

Thanks

Reply
0 Kudos
MKguy
Virtuoso
Virtuoso

ESX and ESXi 4.x aren't supported anymore, so VMware will probably not list them in the KB article.

That said, ALL ESX (classic) versions are affected because they run a bash shell in the service console OS.

ALL ESXi versions are safe from this vulnerability because they run a busybox ash shell instead.

-- http://alpacapowered.wordpress.com
Reply
0 Kudos
GoodMorningDave
Enthusiast
Enthusiast

That's funny. Vmware had not trouble taking $5k for support this year.

MKguy
Virtuoso
Virtuoso

General support for 4.x ended 2014/05/21, see: https://www.vmware.com/files/pdf/support/Product-Lifecycle-Matrix.pdf

https://www.vmware.com/support/policies/enterprise-infrastructure/faq

If you still have a valid SnS (aka support and subscription) contract after this date that means while you don't get support, you can upgrade your licenses to 5.x free of charge and automatically get support again once you've upgraded.

-- http://alpacapowered.wordpress.com
jcstein
Contributor
Contributor

From the above mentioned KB..

Note: After careful consideration, VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash Shell vulnerability.  This security patch release is an exception to the existing VMware lifecycle policy. VMware is making this exception because of the reported critical severity of the Bash vulnerability and because the product passed the end of general support within the last four months.  We encourage you to upgrade to our most current releases. The VMware Global Services teams are available to assist you in any way.

railroadmanuk
Contributor
Contributor

Excellent news VMware, thank you

Reply
0 Kudos
nkrishnan
Expert
Expert

ESX Patches are released for shell shock

ESX400-201410001  - KB 2090851

ESX410-201410001 -  KB 2090856



Thanks

--Nithin
Reply
0 Kudos