VMSA-2014-0010.13 - VMware product updates address critical Bash security vulns
Updated on: 2014-10-17
CVE numbers: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Summary: VMware product updates address Bash security vulnerabilities.
a. Bash update for multiple products: Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock...
I) ESXi and ESX Hypervisor: ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell.
II) Windows-based products: Windows-based products, including all versions of vCenter Server running on Windows, are not affected.
III) VMware (virtual) appliances: VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.
MITIGATIONS: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances...
09/26/2014 - Added Virtual Appliance info
09/27/2014 - Updated list of affected virtual appliances, affected ESXi and ESX versions, affected services, and added guidance
09/29/2014 - Added new CVEs and updated affected products and services; updated AirWatch MDM Cloud Services info
09/30/2014 - Added patch information
10/01/2014 - Added patch information
10/03/2014 - Added patch information
10/04/2014 - Added patch information
10/05/2014 - Added patch information
10/06/2014 - Added patch information
10/07/2014 - Added patch information
(More detail at the vmware URLs above.)
Updated on: 2014-10-17
2014-09-30 VMSA-2014-0010: Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1: Updated advisory in conjunction with the release of ESX 4.x patches, vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director Appliance 126.96.36.199, VMware Data Recovery 2.0.4, VMware Mirage Gateway 5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be mitigated.
2014-10-01 VMSA-2014-0010.2: Updated advisory in conjunction with the release of Horizon Workspace patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter Operations Manager patches, vCenter Site Recovery Manager 188.8.131.52 and 184.108.40.206, vCloud Application Director patches, vCloud Automation Center patches, vCloud Automation Center Application Services patches, vCloud Director Appliance 220.127.116.11, vFabric Postgres 18.104.22.168, 22.214.171.124, and 126.96.36.199, vSphere Replication 188.8.131.52, 184.108.40.206, and 220.127.116.11 on 2014-10-01.
2014-10-02 VMSA-2014-0010.3: Updated advisory in conjunction with the release of vCenter Hyperic Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3, 5.7.1, and 2.0.1, vCenter Orchestrator Appliance patches, vCenter Support Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant 5.5 EP1 and 5.0 EP1, and vSphere Storage Appliance patches on 2014-10-02
2014-10-02 VMSA-2014-0010.4: Updated advisory in conjunction with the release of Horizon DaaS Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance 18.104.22.168, vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere Replication 22.214.171.124 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5: Updated advisory in conjunction with the release of vCloud Networking and Security 126.96.36.199 and 188.8.131.52 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6: Updated advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and 6.0.7, NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7: Updated advisory in conjunction with the release of View Planner 184.108.40.206, and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8: Updated advisory in conjunction with the release of vCenter Hyperic Server 5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log Insight 1.5.0U1, View Planner Flexible 220.127.116.11, VMware Application Dependency Planner 18.104.22.168, VMware HealthAnalyzer 22.214.171.124, and vSphere App HA 1.1.0 patch on 2014-10-06.
2014-10-07 VMSA-2014-0010.9: Updated advisory in conjunction with the release of vCenter Operations Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10: Updated advisory in conjunction with the release of vCenter Operations Manager patches on 2014-10-08.
2014-10-09 VMSA-2014-0010.11: Updated advisory in conjunction with the release of vCenter Converter Standalone 5.5.3 and 5.1.2, and vCenter Log Insight 2.0.5 on 2014-10-09.
2014-10-13 VMSA-2014-0010.12: Updated advisory in conjunction with the release of VMware Studio 2.x patch on 2014-10-13.
2014-10-17 VMSA-2014-0010.13: Updated advisory in conjunction with the release of vCenter Application Discovery Manager 7.0 patch, vSphere Management Assistant 126.96.36.199, and VMware Workbench 3.0.2 on 2014-10-17.
CVE Reference: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Updated: Oct 14 2014
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes ...
... vulnerability is being actively exploited...
... advisory is available at: http://www.vmware.co...-2014-0010.html
... archive entry is a follow-up to: http://www.securityt....com/id/1030890
Edited by AplusWebMaster, 18 October 2014 - 10:25 PM.