Does anybody know if the vShield Manager 5.1.4.1912202 is affected by shellshock? Thanks!!
While not mentioning vShield Manager in particular, the KB article lists "vCloud Networking and Security 5.x (aka VMware Shield 5.x)" which the vShield Manager virtual appliance is a part of.
Since the vShield Manager virtual appliance runs a full GNU/Linux OS underneath, I'm 99% certain it has a bash and is thus affected as well, like all the other virtual appliances. In fact, I'm not aware of any VMware virtual appliance that don't have a bash shell (feel free to correct me if I'm wrong).
It seems like VMware is doing the proper thing and disabling parsing in bash altogether.
Probably requires a lot more QA testing, but mitigates future parser bugs that are most likely coming.
http://www.openwall.com/lists/oss-security/2014/09/29/43
That's quite interesting.
This raises the general issue of virtual appliances and patching once again. The GNU/Linux OS running in pretty much all appliances is just a customized version of another popular distribution (majorly SuSe in VMware's VAs), so in theory you could just update with the distributions default packages instead of having to wait for vendors to publish it's "certified" updates.
I completely agree that QA is important and it can be problematic for certain packages like java, webserver or database software and depending libraries. But updates to more "generic" applications like bash or openssl (heartbleed), which only fix a very certain code area, shouldn't cause any issues in the applications.
Given the severity of bugs like Shellshock and Heartbleed, there might be limited patience in some environments with waiting for vendors re-packing fixes that are released since some time.
That "updating" a virtual appliance sometimes means "deploy a new VA from scratch and migrate data" doesn't help in that regard either.
--
http://alpacapowered.wordpress.com
