ShellShock and VMware products

I had to post this upon the realization of the vulnerability.  The ShellShock Bug announced September 26, 2014 appears to be a sever issue for the security of Linux webserver and other devices using an embedded Linux kernel.

http://www.darkreading.com/shellshock-bash-bug-impacts-basically-everything-exploits-appear-in-wild/d/d-id/1316064 

After a quick check of the command string used in the article I tested it within a vCenter Appliance (5.5 u2, build 1945287) and the SUSE appliance build IS vulnerable.  

Using the one line command to test if your system is vulnerable just try this on bash:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The VCA showed the "vulnerable" output prompting this blog entry.  I will wait eagerly for VMware to provide a patch for all of their virtual appliances to remedy this.  

One additional comment is that ESXi or the hypervisor does not run bash so will not be vulnerable in this way.  

Update to this thread: Oct. 3, 2014

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740

This KB article outlines affected products, and provides some basic methods in adding a workaround for the time being.

Update Dec. 4, 2014
Most of the latest patches of VMware products have resolved this.  I advise to update to the latest versions as soon as possible.



Comments