Hi Guys..
We are running vcentre Server v5.0 with Hp custom VMware 5.0.0 623860 hosts. Although they are in the LAN are they affected at all by the BASH security risk that has been recently announced ?
I know it mainly effect internet facing unix servers and mac OSX.
Thanks for any responses
Jason
Hi Jason,
Here is what VMware KB on this issue says :
On Sept 24, 2014, a critical vulnerability in bash (CVE-2014-6271, CVE-2014-7169) was published that may allow for remote code execution.
The VMware Security Engineering, Communications, and Response group (vSECR) has been actively investigating the impact this vulnerability may have on our products. Our ongoing assessment is documented in the next section.
vSphere ESXi Hypervisor
ESXi is not affected as it uses the ash shell (through busybox), which is not affected by the vulnerability reported for the bash shell.
Products that run on Windows
Windows-based products are not affected including vCenter Server running on Windows.
Products that run on Linux or Mac OS (excluding Virtual Appliances)
Products that run on Linux or Mac OS (excluding Virtual Appliances) may use the bash shell that is part of the operating system. In case the operating system has a vulnerable version of bash, the bash security vulnerability may be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.
Products that are shipped as a Virtual Appliance
Products that are shipped as a Virtual Appliance running on a Linux OS that has a vulnerable version of bash may be affected. A Virtual Appliance is considered affected if is it possible to input malicious environment variables remotely and execute the added code in the Virtual Appliance. We will update this article with the findings of our investigation into Virtual Appliances.
Hi Jason,
Here is what VMware KB on this issue says :
On Sept 24, 2014, a critical vulnerability in bash (CVE-2014-6271, CVE-2014-7169) was published that may allow for remote code execution.
The VMware Security Engineering, Communications, and Response group (vSECR) has been actively investigating the impact this vulnerability may have on our products. Our ongoing assessment is documented in the next section.
vSphere ESXi Hypervisor
ESXi is not affected as it uses the ash shell (through busybox), which is not affected by the vulnerability reported for the bash shell.
Products that run on Windows
Windows-based products are not affected including vCenter Server running on Windows.
Products that run on Linux or Mac OS (excluding Virtual Appliances)
Products that run on Linux or Mac OS (excluding Virtual Appliances) may use the bash shell that is part of the operating system. In case the operating system has a vulnerable version of bash, the bash security vulnerability may be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.
Products that are shipped as a Virtual Appliance
Products that are shipped as a Virtual Appliance running on a Linux OS that has a vulnerable version of bash may be affected. A Virtual Appliance is considered affected if is it possible to input malicious environment variables remotely and execute the added code in the Virtual Appliance. We will update this article with the findings of our investigation into Virtual Appliances.
thanks mate..
🙂
With the VA part. Im guessing the APC PowertChute PCNS 3.1 VMA that sits on top of a Linux VM will be affected ?
As per KB 2090740 ::: Products that are shipped as a Virtual Appliance running on a Linux OS that has a vulnerable version of bash may be affected. A Virtual Appliance is considered affected if is it possible to input malicious environment variables remotely and execute the added code in the Virtual Appliance
vMA may be affected as it is virtual appliance running on linux OS.
However, It is expected that KB 2090740 will be updated as and when there is any new findings/assessments.