-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0001
Synopsis: VMware vCenter Server, ESXi, Workstation, Player, and Fusion
updates address security issues
Issue date: 2015-01-27
Updated on: 2015-01-27 (Initial Advisory)
CVE number: CVE-2014-8370, CVE-2015-1043, CVE-2015-1044
--- OPENSSL---
CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568
--- libxml2 ---
CVE-2014-3660
- ------------------------------------------------------------------------
1. Summary
VMware vCenter Server, ESXi, Workstation, Player and Fusion address
several security issues.
2. Relevant Releases
VMware Workstation 10.x prior to version 10.0.5
VMware Player 6.x prior to version 6.0.5
VMware Fusion 7.x prior to version 7.0.1
VMware Fusion 6.x prior to version 6.0.5
vCenter Server 5.5 prior to Update 2d
ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG
ESXi 5.1 without patch ESXi510-201404101-SG
ESXi 5.0 without patch ESXi500-201405101-SG
3. Problem Description
a. VMware ESXi, Workstation, Player, and Fusion host privilege
escalation vulnerability
VMware ESXi, Workstation, Player and Fusion contain an arbitrary
file write issue. Exploitation this issue may allow for privilege
escalation on the host.
The vulnerability does not allow for privilege escalation from
the guest Operating System to the host or vice-versa. This means
that host memory can not be manipulated from the Guest Operating
System.
Mitigation
For ESXi to be affected, permissions must have been added to ESXi
(or a vCenter Server managing it) for a virtual machine
administrator role or greater.
VMware would like to thank Shanon Olsson for reporting this issue to
us through JPCERT.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2014-8370 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
Workstation 11.x any not affected
Workstation 10.x any 10.0.5
Player 7.x any not affected
Player 6.x any 6.0.5
Fusion 7.x any not affected
Fusion 6.x any 6.0.5
ESXi 5.5 ESXi ESXi550-201403102-SG
ESXi 5.1 ESXi ESXi510-201404101-SG
ESXi 5.0 ESXi ESXi500-201405101-SG
b. VMware Workstation, Player, and Fusion Denial of Service
vulnerability
VMware Workstation, Player, and Fusion contain an input validation
issue in the Host Guest File System (HGFS). This issue may allow
for a Denial of Service of the Guest Operating system.
VMware would like to thank Peter Kamensky from Digital Security for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1043 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
Workstation 11.x any not affected
Workstation 10.x any 10.0.5
Player 7.x any not affected
Player 6.x any 6.0.5
Fusion 7.x any 7.0.1
Fusion 6.x any 6.0.5
c. VMware ESXi, Workstation, and Player Denial of Service
vulnerability
VMware ESXi, Workstation, and Player contain an input
validation issue in VMware Authorization process (vmware-authd).
This issue may allow for a Denial of Service of the host. On
VMware ESXi and on Workstation running on Linux the Denial of
Service would be partial.
VMware would like to thank Dmitry Yudin < at >ret5et for reporting
this issue to us through HP's Zero Day Initiative.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1044 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
Workstation 11.x any not affected
Workstation 10.x any 10.0.5
Player 7.x any not affected
Player 6.x any 6.0.5
Fusion 7.x any not affected
Fusion 6.x any not affected
ESXi 5.5 ESXi ESXi550-201501101-SG
ESXi 5.1 ESXi ESXi510-201410101-SG
ESXi 5.0 ESXi not affected
d. Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1
and 0.9.8 package
The OpenSSL library is updated to version 1.0.1j or 0.9.8zc
to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-3513, CVE-2014-3567,
CVE-2014-3566 ("POODLE") and CVE-2014-3568 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter Server 5.5 any Update 2d*
vCenter Server 5.1 any patch pending
vCenter Server 5.0 any patch pending
ESXi 5.5 ESXi ESXi550-201501101-SG
ESXi 5.1 ESXi patch pending
ESXi 5.0 ESXi patch pending
* The VMware vCenter 5.5 SSO component will be
updated in a later release
e. Update to ESXi libxml2 package
The libxml2 library is updated to version libxml2-2.7.6-17
to resolve a security issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-3660 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
ESXi 5.5 ESXi ESXi550-201501101-SG
ESXi 5.1 ESXi patch pending
ESXi 5.0 ESXi patch pending
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
VMware Workstation 10.x
--------------------------------
https://www.vmware.com/go/downloadworkstation
VMware Player 6.x
--------------------------------
https://www.vmware.com/go/downloadplayer
VMware Fusion 7.x and 6.x
--------------------------------
https://www.vmware.com/go/downloadplayer
vCenter Server
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
ESXi 5.5 Update 2d
----------------------------
File: update-from-esxi5.5-5.5_update01.zip
md5sum: 5773844efc7d8e43135de46801d6ea25
sha1sum: 6518355d260e81b562c66c5016781db9f077161f
http://kb.vmware.com/kb/2065832
update-from-esxi5.5-5.5_update01 contains ESXi550-201403102-SG
ESXi 5.5
----------------------------
File: ESXi550-201501001.zip
md5sum: b0f2edd9ad17d0bae5a11782aaef9304
sha1sum: 9cfcb1e2cf1bb845f0c96c5472d6b3a66f025dd1
http://kb.vmware.com/kb/2099265
ESXi550-201501001.zip contains ESXi550-201501101-SG
ESXi 5.1
----------------------------
File: ESXi510-201404001.zip
md5sum: 9dc3c9538de4451244a2b62d247e52c4
sha1sum: 6b1ea36a2711665a670afc9ae37cdd616bb6da66
http://kb.vmware.com/kb/2070666
ESXi510-201404001 contains ESXi510-201404101-SG
ESXi 5.0
----------------------------
File: ESXi500-201405001.zip
md5sum: 7cd1afc97f5f1e4b4132c90835f92e1d
sha1sum: 4bd77eeb5d7fc65bbb6f25762b0fa74fbb9679d5
http://kb.vmware.com/kb/2075521
ESXi500-201405001 contains ESXi500-201405101-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1043
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
- ------------------------------------------------------------------------
6. Change log
2015-01-27 VMSA-2015-0001
Initial security advisory in conjunction with the release of VMware
Workstation 10.0.5, VMware Player 6.0.5, vCenter Server 5.5 Update 2d
and, ESXi 5.5 Patches released on 2015-01-27.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUyAAUDEcm8Vbi9kMRAqJ1AKC7Lunm2bkxAO7cNCVrGIjKj0sA2ACfaiXz
Sr3Q15TFOOR5wos4xdhR3OI=
=3DtZ
-----END PGP SIGNATURE-----
Category Archives: VMWare
VMWare
NEW VMSA-2014-0011 VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0011
Synopsis: VMware vSphere Data Protection product update addresses a
critical information disclosure vulnerability.
Issue date: 2014-10-22
Updated on: 2014-10-22 (Initial Advisory)
CVE number: CVE-2014-4624
- ------------------------------------------------------------------------
1. Summary
VMware vSphere Data Protection product updates address a
vulnerability that could lead to sensitive information disclosure.
2. Relevant releases
VMware vSphere Data Protection 5.5 prior to 5.5.7
3. Problem Description
a. VMware vSphere Data Protection (VDP) contains a vulnerability that
may allow a remote user to retrieve sensitive account credentials
from the affected VDP server using Java API calls. No
authentication to the VDP server is required for this potential
attack. Exposed information includes MCUser and GSAN account
passwords of all grid systems that are being monitored in VPD
Enterprise Manager.
VMware would like to thank Jakub Mleczko from the Orange Poland
security team for reporting this issue to EMC and the EMC Product
Security Response Center for working with us on the issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2014-4624 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunningReplace with/
Product Versionon Apply Patch
============= ===============================
VDP 5.8 any not affected
VDP 5.5 any 5.5.7
VDP 5.1 any not affected
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware vSphere Data Protection
----------
Downloads:
https://my.vmware.com/web/vmware/details?productId=375&downloadGroup=VDPADV
55_7
Documentation:
https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4624
- ------------------------------------------------------------------------
6. Change log
2014-10-22 VMSA-2014-0011
Initial security advisory for VDP 5.5.7 which was on released on
2014-10-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUSEgTDEcm8Vbi9kMRArgSAJ9wGYfsOIejER040ui9UWbs6CIm+QCeMuEX
av3pKCx1Cd5lnAoT7FRtxDI=
=UJmN
-----END PGP SIGNATURE-----
UPDATED VMSA-2014-0010.13 – VMware product updates address critical Bash security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2014-0010.13
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-10-17
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- ------------------------------------------------------------------------
1. Summary
VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present)
ESX 4.1 without patch ESX410-201410401-SG
ESX 4.0 without patch ESX400-201410401-SG
vCenter Server Appliance prior to 5.5 U2a
vCenter Server Appliance prior to 5.1 U2b
vCenter Server Appliance prior to 5.0 U3b
Horizon DaaS Platform prior to 6.1.1
Horizon DaaS Platform prior to 6.0.2
Horizon DaaS Platform prior to 5.4.3
Horizon Workspace 1.x, 2.x without patch
IT Business Management Suite prior to 1.1.0
IT Business Management Suite prior to 1.0.1
NSX for Multi-Hypervisor 4.2.x prior to 4.2.1
NSX for Multi-Hypervisor 4.1.x prior to 4.1.4
NSX for Multi-Hypervisor 4.0.x prior to 4.0.5
NSX for vSphere 6.1.x prior to 6.1.1
NSX for vSphere 6.0.x prior to 6.0.7
NVP 3.x prior to 3.2.4
vCenter Application Discovery Manager without patch
vCenter Converter Standalone 5.5.x prior to 5.5.3
vCenter Converter Standalone 5.1.x prior to 5.1.2
vCenter Hyperic Server prior to 5.8.3
vCenter Hyperic Server 5.8.2 without SP3
vCenter Hyperic Server 5.8.1 without SP3
vCenter Hyperic Server 5.8.0 without SP2
vCenter Hyperic Server prior to 5.7.2
vCenter Hyperic Server 5.7.1 without SP1
vCenter Hyperic Server prior to 5.0.3
vCenter Hyperic Server 5.0.2 without SP1
vCenter Infrastructure Navigator prior to 5.8.3
vCenter Infrastructure Navigator prior to 5.7.1
vCenter Infrastructure Navigator prior to 2.0.1
vCenter Log Insight prior to 2.0.5
vCenter Log Insight prior to 2.0U1
vCenter Log Insight prior to 1.5.0U1
vCenter Operations Manager 5.x without patch
vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1
vCenter Orchestrator Appliance 5.1.x, 4.x without patch
vCenter Site Recovery Manager prior to 5.5.1.3
vCenter Site Recovery Manager prior to 5.1.2.2
vCenter Support Assistant without patch
vCloud Application Director 5.x, 6.x without patch
vCloud Automation Center 6.x without patch
vCloud Automation Center Application Services 6.x without patch
vCloud Director Appliance prior to 5.5.1.3
vCloud Connector prior to 2.6.1
vCloud Networking and Security prior to 5.5.3.1
vCloud Networking and Security prior to 5.1.4.3
vCloud Usage Meter prior to 3.3.2
vFabric Postgres prior to 9.3.5.1
vFabric Postgres prior to 9.2.9.1
vFabric Postgres prior to 9.1.14.1
VMware Application Dependency Planner prior to 2.0.0.1
View Planner prior to 3.0.1.1
VMware Data Recovery prior to 2.0.4
VMware HealthAnalyzer prior to 5.0.3.1
VMware Mirage Gateway prior to 5.1.1
VMware Socialcast On Premise prior to 2-116-1
VMware Socialcast On Premise prior to 2-112-1
VMware Studio 2.x without patch
VMware Workbench prior to 3.0.2
vSphere App HA prior to 1.1.1
vSphere App HA 1.1.0 without patch
vSphere Big Data Extensions 2.x without patch
vSphere Data Protection 5.x without patch
vSphere Management Assistant 5.5.x without 5.5 EP1
vSphere Management Assistant 5.1.x without 5.1.0.2
vSphere Management Assistant 5.0.x without 5.0 EP1
vSphere Replication prior to 5.8.0.1
vSphere Replication prior to 5.6.0.2
vSphere Replication prior to 5.5.1.3
vSphere Replication prior to 5.1.2.2
vSphere Storage Appliance prior to 5.5.2
vSphere Storage Appliance 5.1.x without patch
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
to these issues.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell.
ESX has an affected version of the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system. If the operating system has a vulnerable
version of Bash, the Bash security vulnerability might be
exploited through the product. VMware recommends that customers
contact their operating system vendor for a patch.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
For several products, both a patch and a product update are
available.
In general, if a patch is made available, the patch must be applied
to the latest version of the appliance.
Customers should refer to the specific product Knowledge Base
articles
listed in Section 4 to understand the type of remediation available
and
applicable appliance version numbers.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX ESX410-201410401-SG*
ESX 4.0 ESX ESX400-201410401-SG*
* VMware has made VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b,
5.0 U3b
Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2,
5.4.3
Horizon Workspace 1.x, 2.x Linux See Section 4
IT Business Management Suite 1.x Linux 1.1.0, 1.0.1
NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4
4.0.5
NSX for vSphere 6.x Linux 6.1.1, 6.0.7
NVP 3.x Linux 3.2.4
vCenter Application Discovery 7.x Linux See Section 4
Manager
vCenter Converter Standalone 5.x Linux 5.5.3, 5.1.2**
vCenter Hyperic Server* 5.x Linux 5.8.3, 5.8.2-SP3,
5.8.1-SP3,
5.8.0-SP2,
5.7.2, 5.7.1-SP1,
5.0.3, 5.0.2-SP1
vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1,
2.0.1
vCenter Log Insight* 1.x, 2.x Linux 2.0.5, 2.0U1,
1.5.0U1
vCenter Operations Manager 5.x Linux See Section 4
vCenter Orchestrator Appliance* 4.x, 5.x Linux 5.5.2.1, 5.1.2,
4.2.3 See Section
4
vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2,
5.0.x**
vCenter Support Assistant 5.x Linux See Section 4
vCloud Application Director 5.x, 6.x Linux See Section 4
vCloud Automation Center 6.x Linux See Section 4
vCloud Automation Center
Application Services 6.x Linux See Section 4
vCloud Director Appliance 5.x Linux 5.5.1.3
vCloud Connector 2.x Linux 2.6.1
vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3
vCloud Usage Meter 3.x Linux 3.3.2
vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1,
9.1.14.1
View Planner 3.x Linux 3.0.1.1
VMware Application Dependency x.x Linux 2.0.0.1
Planner
VMware Data Recovery 2.x Linux 2.0.4
VMware HealthAnalyzer 5.x Linux 5.0.3.1
VMware Mirage Gateway 5.x Linux 5.1.1
VMware Socialcast On Premise 2.x Linux 2-116-1,
2-112-1
VMware Studio 2.x Linux See Section 4
VMware Workbench 3.0.x Linux 3.0.2
vSphere App HA* 1.x Linux 1.1.1
vSphere Big Data Extensions 2.x Linux See Section 4
vSphere Data Protection 5.x Linux See Section 4
vSphere Management Assistant 5.x Linux 5.5 EP1, 5.1.0.2,
5.0 EP1
vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2,
5.5.1.3, 5.1.2.2
vSphere Storage Appliance* 5.x Linux 5.5.2, 5.1.3
See Section 4
* This product has patches available to update bash manually as well as
a
full installation that includes the bash fix for some versions. Either
installing the patch or upgrading the appliance will remediate the
"shellshock" vulnerability. See documentation in Section 4 for details.
** This product includes Virtual Appliances that will be updated, the
product itself is not a Virtual Appliance.
4. Solution
ESX
---
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2090859
http://kb.vmware.com/kb/2090853
vCenter Server Appliance
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2
(scroll down to 5.5 Update 2a Appliance)
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS
P510-VC-51U2A
(scroll down to 5.1 Update 2b Appliance)
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3
A
(scroll down to 5.0 Update 3b Appliance)
Documentation:
http://kb.vmware.com/kb/2091085
http://kb.vmware.com/kb/2091018
http://kb.vmware.com/kb/2091017
Horizon DaaS Platform
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr
oup=HORIZON-DAAS-610-BIN
https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO
N-DAAS-602
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398
Documentation:
http://kb.vmware.com/kb/2091183
Horizon Workspace
-----------------
Downloads:
(Scroll down to the relevant download)
Workspace Portal 2.1.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNP210
Workspace Portal 2.0.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNWS200
Horizon Workspace 1.8.2 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS182
Horizon Workspace 1.8.1 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS181
Horizon Workspace 1.8.0 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS180
Horizon Workspace 1.5.2 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS152
Horizon Workspace 1.5.1 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS151
Horizon Workspace 1.5.0 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS150
Documentation:
http://kb.vmware.com/kb/2091067
IT Business Management Suite
----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product
Id=385&rPId=6333
Documentation:
http://kb.vmware.com/kb/2091014
http://kb.vmware.com/kb/2091013
NSX for Multi-Hypervisor
------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-MH-421
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-MH-414
Note: For 4.0.5 refer to http://www.vmware.com/products/nsx
Documentation:
http://kb.vmware.com/kb/2091179
http://kb.vmware.com/kb/2091205
NSX for vSphere
---------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-V-611
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-V-607
Documentation:
http://kb.vmware.com/kb/2091213
http://kb.vmware.com/kb/2091216
NVP
---
Downloads and Documentation:
http://www.vmware.com/products/nsxvCenter
Application Discovery Manager
-------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VADM-700-VA&productI
d=300&rPId=3036
Documentation:
http://kb.vmware.com/kb/2092300
vCenter Converter Standalone
----------------------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vcenter_converter_standalone/5_5
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vcenter_converter_standalone/5_1
Documentation:
http://kb.vmware.com/kb/2091104
http://kb.vmware.com/kb/2091102
vCenter Hyperic Server
----------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_582_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_581_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_580_SERVER
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572
https://my.vmware.com/web/vmware/details?productId=346&rPId=6849&downloadGr
oup=VFHQ_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER
https://my.vmware.com/web/vmware/details?productId=311&rPId=6848&downloadGr
oup=VFHQ_502
Documentation:
http://kb.vmware.com/kb/2091109
http://kb.vmware.com/kb/2091210
http://kb.vmware.com/kb/2091372
http://kb.vmware.com/kb/2091373
http://kb.vmware.com/kb/2091206
http://kb.vmware.com/kb/2091223
http://kb.vmware.com/kb/2091207
http://kb.vmware.com/kb/2091224
vCenter Infrastructure Navigator
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201
Documentation:
http://kb.vmware.com/kb/2091095
http://kb.vmware.com/kb/2091093
http://kb.vmware.com/kb/2091108
vCenter Log Insight
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA205&productId=
412&rPId=6888
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4
12&rPId=5804
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA15&productId=3
86&rPId=4787
Documentation:
http://kb.vmware.com/kb/2091622
http://kb.vmware.com/kb/2091065
vCenter Operations Manager
--------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-583-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-582-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-581-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-580-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-573-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-572-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-571-STD
https://my.vmware.com/web/vmware/details?productId=332&rPId=6743&downloadGr
oup=VCOPS-570-STD
Documentation:
http://kb.vmware.com/kb/2091083
http://kb.vmware.com/kb/2091002 (5.7.0, 5.7.1, 5.7.2, 5.7.3)
http://kb.vmware.com/kb/2091401 (5.8.0, 5.8.1, 5.8.2)
vCenter Orchestrator Appliance
------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ
ctId=353&rPId=6655
Documentation:
http://kb.vmware.com/kb/2091036
vCenter Site Recovery Manager
-----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35
7&rPId=6636
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29
1&rPId=6631
Documentation:
http://kb.vmware.com/kb/2091038
http://kb.vmware.com/kb/2091039
http://kb.vmware.com/kb/2091037 (5.0.x)
vCenter Support Assistant
-------------------------
Downloads and Documentation:
http://kb.vmware.com/kb/2091112
vCloud Application Director
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc
tId=383&rPId=6216
https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod
uctId=345&rPId=3789
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Automation Center
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4
47&rPId=6501
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId=
383&rPId=6216
Documentation:
http://kb.vmware.com/kb/2091012
vCloud Automation Center Application Services
---------------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId
=447&rPId=6501
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Director Appliance
-------------------------
Downloads:
www.vmware.com/go/try-vcloud-director
Documentation:
http://kb.vmware.com/kb/2091071
vCloud Connector
----------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA
Documentation:
http://kb.vmware.com/kb/2091045
vCloud Networking and Security
------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCNS5531
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCNS5143
Documentation:
http://kb.vmware.com/kb/2091218
http://kb.vmware.com/kb/2091217
vCloud Usage Meter
------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332
Documentation:
http://kb.vmware.com/kb/2091184
vFabric Postgres
----------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab
ric_postgres/9_3
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_2
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_1
Documentation:
http://kb.vmware.com/kb/2091055
View Planner
------------
View Planner Benchmark Mode
Downloads:
https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P
LAN-300
Documentation:
http://kb.vmware.com/kb/2091281
View Planner Flexible Mode
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUza
VMware Application Dependency Planner
-------------------------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzQ
VMware Data Recovery
--------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204
Documentation:
http://kb.vmware.com/kb/2091015
VMware HealthAnalyzer
---------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzV
VMware Mirage Gateway
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId
=407&rPId=6565
(See VMware Mirage Gateway Software)
Documentation:
http://kb.vmware.com/kb/2091090
VMware Socialcast On Premise
----------------------------
Downloads and Documentation:
Please contact Global Support Services via My VMware
VMware Studio
-------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STUDIO2600GA&product
Id=230
Documentation:
http://kb.vmware.com/kb/2091990
VMware Workbench
----------------
Downloads and Documentation:
https://developercenter.vmware.com/group/workbench/vm/3.0
vSphere App HA
--------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111
https://my.vmware.com/web/vmware/details?downloadGroup=APPHA-110&productId=
408&rPId=5635
Documentation:
http://kb.vmware.com/kb/2091087
http://kb.vmware.com/kb/2091371
vSphere Big Data Extensions
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=BDE_200_GA&productId
=353&rPId=6657
Documentation and Release Notes:
http://kb.vmware.com/kb/2091050
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-20-release-notes.html
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-11-release-notes.html
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-10-release-notes.html
vSphere Data Protection
-----------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35
3&rPId=6654
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_6
https://my.vmware.com/web/vmware/details?downloadGroup=VDPADV51_21&productI
d=330&rPId=3818
https://my.vmware.com/web/vmware/details?downloadGroup=VDP51_11&productId=2
85
Documentation:
http://kb.vmware.com/kb/2091341
vSphere Management Assistant
----------------------------
Downloads:
Download available via online vMA update mechanism and at:
https://my.vmware.com/web/vmware/details?productId=352&downloadGroup=VMA550
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VSP510
- -VMA-510
https://my.vmware.com/web/vmware/details?productId=352&downloadGroup=VMA50
Documentation:
http://kb.vmware.com/kb/2079150http://kb.vmware.com/kb/2091620
http://kb.vmware.com/kb/2079151
vSphere Replication
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353
&rPId=6654
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602
https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr
oup=VR5513
https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285
&rPId=6779
Documentation:
http://kb.vmware.com/kb/2091019
http://kb.vmware.com/kb/2091031
http://kb.vmware.com/kb/2091033
http://kb.vmware.com/kb/2091035
vSphere Storage Appliance
-------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc
tId=354&rPId=6585
https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc
tId=297&rPId=3752
Documentation:
http://kb.vmware.com/kb/2091000
http://kb.vmware.com/kb/2091086
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1
Updated advisory in conjunction with the release of ESX 4.x patches,
vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director
Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway
5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added
CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be
mitigated.
2014-10-01 VMSA-2014-0010.2
Updated advisory in conjunction with the release of Horizon Workspace
patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter
Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and
5.1.2.2, vCloud Application Director patches, vCloud Automation Center
patches, vCloud Automation Center Application Services patches, vCloud
Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and
9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on
2014-10-01.
2014-10-02 VMSA-2014-0010.3
Updated advisory in conjunction with the release of vCenter Hyperic
Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3,
5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support
Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant
5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02.
2014-10-02 VMSA-2014-0010.4
Updated advisory in conjunction with the release of Horizon DaaS
Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance
5.5.2.1,
vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere
Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5
Updated advisory in conjunction with the release of vCloud Networking
and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6
Updated advisory in conjunction with the release of NSX for
Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and
6.0.7,
NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7
Updated advisory in conjunction with the release of View Planner
Benchmark
3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8
Updated advisory in conjunction with the release of vCenter Hyperic
Server
5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log
Insight 1.5.0U1, View Planner Flexible 3.0.1.1,VMware Application
Dependency
Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, vSphere App HA 1.1.0
patch
on 2014-10-06.
2014-10-07 VMSA-2014-0010.9
Updated advisory in conjunction with the release of vCenter Operations
Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and
vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10
Updated advisory in conjunction with the release of vCenter Operations
Manager patches on 2014-10-08.
2014-10-09 VMSA-2014-0010.11
Updated advisory in conjunction with the release of vCenter Converter
Standalone 5.5.3 and 5.1.2, and vCenter Log Insight 2.0.5 on 2014-10-09.
2014-10-13 VMSA-2014-0010.12
Updated advisory in conjunction with the release of
VMware Studio 2.x patch
on 2014-10-13.
2014-10-17 VMSA-2014-0010.13
Updated advisory in conjunction with the release of vCenter Application
Discovery Manager 7.0 patch, vSphere Management Assistant 5.1.0.2, and
VMware Workbench 3.0.2 on 2014-10-17.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUQWIsDEcm8Vbi9kMRAoR1AKDHn4S//eq+oPtAM0Px2RFI2jRKMACfTPP/
QDo4EkX1su4YYHHrsrFZLXk=
=GHiK
-----END PGP SIGNATURE-----
UPDATED VMSA-2014-0010.12 – VMware product updates address critical Bash security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2014-0010.12
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-10-13
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- ------------------------------------------------------------------------
1. Summary
VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present)
ESX 4.1 without patch ESX410-201410401-SG
ESX 4.0 without patch ESX400-201410401-SG
vCenter Server Appliance prior to 5.5 U2a
vCenter Server Appliance prior to 5.1 U2b
vCenter Server Appliance prior to 5.0 U3b
Horizon DaaS Platform prior to 6.1.1
Horizon DaaS Platform prior to 6.0.2
Horizon DaaS Platform prior to 5.4.3
Horizon Workspace 1.x, 2.x without patch
IT Business Management Suite prior to 1.1.0
IT Business Management Suite prior to 1.0.1
NSX for Multi-Hypervisor 4.2.x prior to 4.2.1
NSX for Multi-Hypervisor 4.1.x prior to 4.1.4
NSX for Multi-Hypervisor 4.0.x prior to 4.0.5
NSX for vSphere 6.1.x prior to 6.1.1
NSX for vSphere 6.0.x prior to 6.0.7
NVP 3.x prior to 3.2.4
vCenter Converter Standalone 5.5.x prior to 5.5.3
vCenter Converter Standalone 5.1.x prior to 5.1.2
vCenter Hyperic Server prior to 5.8.3
vCenter Hyperic Server 5.8.2 without SP3
vCenter Hyperic Server 5.8.1 without SP3
vCenter Hyperic Server 5.8.0 without SP2
vCenter Hyperic Server prior to 5.7.2
vCenter Hyperic Server 5.7.1 without SP1
vCenter Hyperic Server prior to 5.0.3
vCenter Hyperic Server 5.0.2 without SP1
vCenter Infrastructure Navigator prior to 5.8.3
vCenter Infrastructure Navigator prior to 5.7.1
vCenter Infrastructure Navigator prior to 2.0.1
vCenter Log Insight prior to 2.0.5
vCenter Log Insight prior to 2.0U1
vCenter Log Insight prior to 1.5.0U1
vCenter Operations Manager 5.x without patch
vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1
vCenter Orchestrator Appliance 5.1.x, 4.x without patch
vCenter Site Recovery Manager prior to 5.5.1.3
vCenter Site Recovery Manager prior to 5.1.2.2
vCenter Support Assistant without patch
vCloud Application Director 5.x, 6.x without patch
vCloud Automation Center 6.x without patch
vCloud Automation Center Application Services 6.x without patch
vCloud Director Appliance prior to 5.5.1.3
vCloud Connector prior to 2.6.1
vCloud Networking and Security prior to 5.5.3.1
vCloud Networking and Security prior to 5.1.4.3
vCloud Usage Meter prior to 3.3.2
vFabric Postgres prior to 9.3.5.1
vFabric Postgres prior to 9.2.9.1
vFabric Postgres prior to 9.1.14.1
VMware Application Dependency Planner prior to 2.0.0.1
View Planner prior to 3.0.1.1
VMware Data Recovery prior to 2.0.4
VMware HealthAnalyzer prior to 5.0.3.1
VMware Mirage Gateway prior to 5.1.1
VMware Socialcast On Premise prior to 2-116-1
VMware Socialcast On Premise prior to 2-112-1
VMware Studio 2.x without patch
vSphere App HA prior to 1.1.1
vSphere App HA 1.1.0 without patch
vSphere Big Data Extensions 2.x without patch
vSphere Data Protection 5.x without patch
vSphere Management Assistant 5.5.x without 5.5 EP1
vSphere Management Assistant 5.0.x without 5.0 EP1
vSphere Replication prior to 5.8.0.1
vSphere Replication prior to 5.6.0.2
vSphere Replication prior to 5.5.1.3
vSphere Replication prior to 5.1.2.2
vSphere Storage Appliance prior to 5.5.2
vSphere Storage Appliance 5.1.x without patch
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
to these issues.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell.
ESX has an affected version of the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system. If the operating system has a vulnerable
version of Bash, the Bash security vulnerability might be
exploited through the product. VMware recommends that customers
contact their operating system vendor for a patch.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
For several products, both a patch and a product update are
available.
In general, if a patch is made available, the patch must be applied
to the latest version of the appliance.
Customers should refer to the specific product Knowledge Base
articles
listed in Section 4 to understand the type of remediation available
and
applicable appliance version numbers.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX ESX410-201410401-SG*
ESX 4.0 ESX ESX400-201410401-SG*
* VMware has made VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b,
5.0 U3b
Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2,
5.4.3
Horizon Workspace 1.x, 2.x Linux See Section 4
IT Business Management Suite 1.x Linux 1.1.0, 1.0.1
NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4
4.0.5
NSX for vSphere 6.x Linux 6.1.1, 6.0.7
NVP 3.x Linux 3.2.4
vCenter Application Discovery 7.x Linux Patch Pending
Manager
vCenter Converter Standalone 5.x Linux 5.5.3, 5.1.2**
vCenter Hyperic Server* 5.x Linux 5.8.3, 5.8.2-SP3,
5.8.1-SP3,
5.8.0-SP2,
5.7.2, 5.7.1-SP1,
5.0.3, 5.0.2-SP1
vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1,
2.0.1
vCenter Log Insight* 1.x, 2.x Linux 2.0.5, 2.0U1,
1.5.0U1
vCenter Operations Manager 5.x Linux See Section 4
vCenter Orchestrator Appliance* 4.x, 5.x Linux 5.5.2.1, 5.1.2,
4.2.3 See Section
4
vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2,
5.0.x**
vCenter Support Assistant 5.x Linux See Section 4
vCloud Application Director 5.x, 6.x Linux See Section 4
vCloud Automation Center 6.x Linux See Section 4
vCloud Automation Center
Application Services 6.x Linux See Section 4
vCloud Director Appliance 5.x Linux 5.5.1.3
vCloud Connector 2.x Linux 2.6.1
vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3
vCloud Usage Meter 3.x Linux 3.3.2
vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1,
9.1.14.1
View Planner 3.x Linux 3.0.1.1
VMware Application Dependency x.x Linux 2.0.0.1
Planner
VMware Data Recovery 2.x Linux 2.0.4
VMware HealthAnalyzer 5.x Linux 5.0.3.1
VMware Mirage Gateway 5.x Linux 5.1.1
VMware Socialcast On Premise 2.x Linux 2-116-1,
2-112-1
VMware Studio 2.x Linux See Section 4
VMware Workbench 3.0.x Linux Patch Pending
vSphere App HA* 1.x Linux 1.1.1
vSphere Big Data Extensions 2.x Linux See Section 4
vSphere Data Protection 5.x Linux See Section 4
vSphere Management Assistant 5.x Linux 5.5 EP1, 5.0 EP1
vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2,
5.5.1.3, 5.1.2.2
vSphere Storage Appliance* 5.x Linux 5.5.2, 5.1.3
See Section 4
* This product has patches available to update bash manually as well as
a
full installation that includes the bash fix for some versions. Either
installing the patch or upgrading the appliance will remediate the
"shellshock" vulnerability. See documentation in Section 4 for details.
** This product includes Virtual Appliances that will be updated, the
product itself is not a Virtual Appliance.
4. Solution
ESX
---
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2090859
http://kb.vmware.com/kb/2090853
vCenter Server Appliance
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2
(scroll down to 5.5 Update 2a Appliance)
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS
P510-VC-51U2A
(scroll down to 5.1 Update 2b Appliance)
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3
A
(scroll down to 5.0 Update 3b Appliance)
Documentation:
http://kb.vmware.com/kb/2091085
http://kb.vmware.com/kb/2091018
http://kb.vmware.com/kb/2091017
Horizon DaaS Platform
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr
oup=HORIZON-DAAS-610-BIN
https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO
N-DAAS-602
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398
Documentation:
http://kb.vmware.com/kb/2091183
Horizon Workspace
-----------------
Downloads:
(Scroll down to the relevant download)
Workspace Portal 2.1.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNP210
Workspace Portal 2.0.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNWS200
Horizon Workspace 1.8.2 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS182
Horizon Workspace 1.8.1 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS181
Horizon Workspace 1.8.0 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS180
Horizon Workspace 1.5.2 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS152
Horizon Workspace 1.5.1 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS151
Horizon Workspace 1.5.0 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS150
Documentation:
http://kb.vmware.com/kb/2091067
IT Business Management Suite
----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product
Id=385&rPId=6333
Documentation:
http://kb.vmware.com/kb/2091014
http://kb.vmware.com/kb/2091013
NSX for Multi-Hypervisor
------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-MH-421
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-MH-414
Note: For 4.0.5 refer to http://www.vmware.com/products/nsx
Documentation:
http://kb.vmware.com/kb/2091179
http://kb.vmware.com/kb/2091205
NSX for vSphere
---------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-V-611
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-V-607
Documentation:
http://kb.vmware.com/kb/2091213
http://kb.vmware.com/kb/2091216
NVP
---
Downloads and Documentation:
http://www.vmware.com/products/nsx
vCenter Converter Standalone
----------------------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vcenter_converter_standalone/5_5
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vcenter_converter_standalone/5_1
Documentation:
http://kb.vmware.com/kb/2091104
http://kb.vmware.com/kb/2091102
vCenter Hyperic Server
----------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_582_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_581_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_580_SERVER
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572
https://my.vmware.com/web/vmware/details?productId=346&rPId=6849&downloadGr
oup=VFHQ_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER
https://my.vmware.com/web/vmware/details?productId=311&rPId=6848&downloadGr
oup=VFHQ_502
Documentation:
http://kb.vmware.com/kb/2091109
http://kb.vmware.com/kb/2091210
http://kb.vmware.com/kb/2091372
http://kb.vmware.com/kb/2091373
http://kb.vmware.com/kb/2091206
http://kb.vmware.com/kb/2091223
http://kb.vmware.com/kb/2091207
http://kb.vmware.com/kb/2091224
vCenter Infrastructure Navigator
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201
Documentation:
http://kb.vmware.com/kb/2091095
http://kb.vmware.com/kb/2091093
http://kb.vmware.com/kb/2091108
vCenter Log Insight
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA205&productId=
412&rPId=6888
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4
12&rPId=5804
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA15&productId=3
86&rPId=4787
Documentation:
http://kb.vmware.com/kb/2091622
http://kb.vmware.com/kb/2091065
vCenter Operations Manager
--------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-583-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-582-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-581-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-580-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-573-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-572-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-571-STD
https://my.vmware.com/web/vmware/details?productId=332&rPId=6743&downloadGr
oup=VCOPS-570-STD
Documentation:
http://kb.vmware.com/kb/2091083
http://kb.vmware.com/kb/2091002 (5.7.0, 5.7.1, 5.7.2, 5.7.3)
http://kb.vmware.com/kb/2091401 (5.8.0, 5.8.1, 5.8.2)
vCenter Orchestrator Appliance
------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ
ctId=353&rPId=6655
Documentation:
http://kb.vmware.com/kb/2091036
vCenter Site Recovery Manager
-----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35
7&rPId=6636
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29
1&rPId=6631
Documentation:
http://kb.vmware.com/kb/2091038
http://kb.vmware.com/kb/2091039
http://kb.vmware.com/kb/2091037 (5.0.x)
vCenter Support Assistant
-------------------------
Downloads and Documentation:
http://kb.vmware.com/kb/2091112
vCloud Application Director
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc
tId=383&rPId=6216
https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod
uctId=345&rPId=3789
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Automation Center
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4
47&rPId=6501
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId=
383&rPId=6216
Documentation:
http://kb.vmware.com/kb/2091012
vCloud Automation Center Application Services
---------------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId
=447&rPId=6501
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Director Appliance
-------------------------
Downloads:
www.vmware.com/go/try-vcloud-director
Documentation:
http://kb.vmware.com/kb/2091071
vCloud Connector
----------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA
Documentation:
http://kb.vmware.com/kb/2091045
vCloud Networking and Security
------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCNS5531
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCNS5143
Documentation:
http://kb.vmware.com/kb/2091218
http://kb.vmware.com/kb/2091217
vCloud Usage Meter
------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332
Documentation:
http://kb.vmware.com/kb/2091184
vFabric Postgres
----------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab
ric_postgres/9_3
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_2
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_1
Documentation:
http://kb.vmware.com/kb/2091055
View Planner
------------
View Planner Benchmark Mode
Downloads:
https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P
LAN-300
Documentation:
http://kb.vmware.com/kb/2091281
View Planner Flexible Mode
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUza
VMware Application Dependency Planner
-------------------------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzQ
VMware Data Recovery
--------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204
Documentation:
http://kb.vmware.com/kb/2091015
VMware HealthAnalyzer
---------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzV
VMware Mirage Gateway
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId
=407&rPId=6565
(See VMware Mirage Gateway Software)
Documentation:
http://kb.vmware.com/kb/2091090
VMware Socialcast On Premise
----------------------------
Downloads and Doumentation:
Please contact Global Support Services via My VMware
VMware Studio
-------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STUDIO2600GA&product
Id=230
Documentation:
http://kb.vmware.com/kb/2091990
vSphere App HA
--------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111
https://my.vmware.com/web/vmware/details?downloadGroup=APPHA-110&productId=
408&rPId=5635
Documentation:
http://kb.vmware.com/kb/2091087
http://kb.vmware.com/kb/2091371
vSphere Big Data Extensions
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=BDE_200_GA&productId
=353&rPId=6657
Documentation and Release Notes:
http://kb.vmware.com/kb/2091050
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-20-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-11-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-10-release-notes.html#resolvedissues
vSphere Data Protection
-----------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35
3&rPId=6654
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_6
https://my.vmware.com/web/vmware/details?downloadGroup=VDPADV51_21&productI
d=330&rPId=3818
https://my.vmware.com/web/vmware/details?downloadGroup=VDP51_11&productId=2
85
Documentation:
http://kb.vmware.com/kb/2091341
vSphere Management Assistant
----------------------------
Downloads:
Download available via online vMA update mechanism and at:
https://my.vmware.com/web/vmware/details?productId=352&downloadGroup=VMA550
https://my.vmware.com/web/vmware/details?productId=352&downloadGroup=VMA50
Documentation:
http://kb.vmware.com/kb/2079150
http://kb.vmware.com/kb/2079151
vSphere Replication
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353
&rPId=6654
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602
https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr
oup=VR5513
https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285
&rPId=6779
Documentation:
http://kb.vmware.com/kb/2091019
http://kb.vmware.com/kb/2091031
http://kb.vmware.com/kb/2091033
http://kb.vmware.com/kb/2091035
vSphere Storage Appliance
-------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc
tId=354&rPId=6585
https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc
tId=297&rPId=3752
Documentation:
http://kb.vmware.com/kb/2091000
http://kb.vmware.com/kb/2091086
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1
Updated advisory in conjunction with the release of ESX 4.x patches,
vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director
Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway
5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added
CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be
mitigated.
2014-10-01 VMSA-2014-0010.2
Updated advisory in conjunction with the release of Horizon Workspace
patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter
Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and
5.1.2.2, vCloud Application Director patches, vCloud Automation Center
patches, vCloud Automation Center Application Services patches, vCloud
Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and
9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on
2014-10-01.
2014-10-02 VMSA-2014-0010.3
Updated advisory in conjunction with the release of vCenter Hyperic
Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3,
5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support
Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant
5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02.
2014-10-02 VMSA-2014-0010.4
Updated advisory in conjunction with the release of Horizon DaaS
Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance
5.5.2.1,
vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere
Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5
Updated advisory in conjunction with the release of vCloud Networking
and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6
Updated advisory in conjunction with the release of NSX for
Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and
6.0.7,
NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7
Updated advisory in conjunction with the release of View Planner
Benchmark
3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8
Updated advisory in conjunction with the release of vCenter Hyperic
Server
5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log
Insight 1.5.0U1, View Planner Flexible 3.0.1.1,VMware Application
Dependency
Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, vSphere App HA 1.1.0
patch
on 2014-10-06.
2014-10-07 VMSA-2014-0010.9
Updated advisory in conjunction with the release of vCenter Operations
Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and
vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10
Updated advisory in conjunction with the release of vCenter Operations
Manager patches on 2014-10-08.
2014-10-09 VMSA-2014-0010.11
Updated advisory in conjunction with the release of vCenter Converter
Standalone 5.5.3 and 5.1.2, and vCenter Log Insight 2.0.5 on 2014-10-09.
2014-10-13 VMSA-2014-0010.12
Updated advisory in conjunction with the release of VMware Studio 2.x
patch on 2014-10-13.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFUPGxIDEcm8Vbi9kMRAoiEAKCm06rqZInX5qKCgXJVTBbvltLO3ACgi0Sp
sb2WId7ZIK1I5YcX2Nvgto4=
=Gi+m
-----END PGP SIGNATURE-----
UPDATED: VMSA-2014-0006.11 VMware product updates address OpenSSL security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0006.11
Synopsis: VMware product updates address OpenSSL
security vulnerabilities
Issue date: 2014-06-10
Updated on: 2014-10-09
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
CVE-2014-3470
- -----------------------------------------------------------------------
1. Summary
VMware product updates address OpenSSL security vulnerabilities.
2. Relevant Releases
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
ESXi 5.0 without patch ESXi500-201407401-SG
Workstation 10.x prior to 10.0.3
Workstation 9.x prior to 9.0.4
Player 6.x prior to 6.0.3
Player 5.x prior to 5.0.4
Fusion 6.x prior to 6.0.4
Fusion 5.x prior to 5.0.5
Horizon Mirage Edge Gateway prior to 4.4.3
Horizon View prior to 5.3.2
Horizon View 5.3 Feature Pack X prior to Feature Pack 3
Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
1.5.0.0-1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
1.8.2.1820-1876338.
x86_64.rpm
Horizon View Clients prior to 3.0
vCD 5.5.x prior to 5.5.1.2
vCD 5.1.x prior to 5.1.3.1
vCenter prior to 5.5u1b
vCenter prior to 5.1 U2a
vCenter prior to 5.0U3a
vCenter Support Assistant prior to 5.5.1.1
vCloud Automation Center prior to 6.0.1.2
vCenter Configuration Manager prior to 5.7.2
vCenter Converter Standalone prior to 5.5.2
Converter Standalone prior to 5.1.1
Usage Manager prior to 3.3
vCenter Operations Manager prior to 5.8.2
vCenter Operations Manager prior to 5.7.3
vCenter Chargeback Manager 2.6 prior to 2.6.0.1
vCloud Networking and Security prior to 5.5.2.1
vCloud Networking and Security prior to 5.1.4.1
vSphere PowerCLI 5.x
vCSA prior to 5.5u1b
vCSA prior to 5.1u2a
vCSA prior to 5.0u3a
OVF Tool prior to 5.3.2
Update Manager prior to 5.5u1b
ITBM Standard prior to 1.1
VDDK prior to 5.5.2
VDDK prior to 5.1.3
VDDK prior to 5.0.4
NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
NVP 3.0.x prior to 3.2.3
NSX 6.0.x for vSphere prior to 6.0.5
vFabric Web Server 5.x
Pivotal Web Server prior to 5.4.1
vCenter Site Recovery Manager prior to 5.5.1.1
vCenter Site Recovery Manager prior to 5.1.2.1
vCenter Site Recovery Manager prior to 5.0.3.2
vSphere Replication prior to 5.8
vSphere Replication prior to 5.5.1.1
vSphere SDK for Perl prior to 5.5 Update 2
vSphere Data Protection prior to 5.5.7
3. Problem Description
a. OpenSSL update for multiple products.
OpenSSL libraries have been updated in multiple products to
versions 0.9.8za and 1.0.1h in order to resolve multiple security
issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-0224, CVE-2014-0198,
CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
these issues. The most important of these issues is
CVE-2014-0224.
CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
be of moderate severity. Exploitation is highly unlikely or is
mitigated due to the application configuration.
CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
Security Advisory (see Reference section below), do not affect
any VMware products.
CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
is running a vulnerable version of OpenSSL 1.0.1 and clients are
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
the server will mitigate this issue for both the server and all
affected clients.
CVE-2014-0224 may affect products differently depending on
whether the product is acting as a client or a server and of
which version of OpenSSL the product is using. For readability
the affected products have been split into 3 tables below,
based on the different client-server configurations and
deployment scenarios.
MITIGATIONS
Clients that communicate with a patched or non-vulnerable server
are not vulnerable to CVE-2014-0224. Applying these patches to
affected servers will mitigate the affected clients (See Table 1
below).
Clients that communicate over untrusted networks such as public
Wi-Fi and communicate to a server running a vulnerable version of
OpenSSL 1.0.1. can be mitigated by using a secure network such as
VPN (see Table 2 below).
Clients and servers that are deployed on an isolated network are
less exposed to CVE-2014-0224 (see Table 3 below). The affected
products are typically deployed to communicate over the
management network.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected Servers in Table 1 below as these patches become
available. Patching these servers will remove the ability to
exploit the vulnerability described in CVE-2014-0224 on both
clients and servers.
VMware recommends customers consider
applying patches to products listed in Table 2 & 3 as required.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1
=======
Affected servers running a vulnerable version of OpenSSL 1.0.1.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 5.5 ESXi ESXi550-
201406401-SG
Big Data Extensions 1.1 2.0.0
vCenter Chargeback Manager 2.6 2.6.0.1
Horizon Workspace Server 1.5.x horizon-nginx-
rpm-1.5.0.0-
1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x horizon-nginx-
rpm-1.8.2.1820-
1876338.
x86_64.rpm
Horizon Mirage Edge Gateway 4.4.x 4.4.3
Horizon View 5.x 5.3.2
Horizon View Feature Pack 5.x 5.3 FP3
NSX for Multi-Hypervisor 4.1.2 4.1.3
NSX for Multi-Hypervisor 4.0.3 4.0.4
NSX for vSphere 6.0.4 6.0.5
NVP 3.2.2 3.2.3
vCloud Networking and Security 5.5.2 5.5.2.1
vCloud Networking and Security 5.1.4 5.1.4.1
Pivotal Web Server 5.4 5.4.1
vFabric Web Server 5.x Pivotal Web
Server 5.4.1
Table 2
========
Affected clients running a vulnerable version of OpenSSL 0.9.8
or 1.0.1 and communicating over an untrusted network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCSA 5.5 5.5u1b
vCSA 5.1 5.1u2a
vCSA 5.0 5.0u3a
ESXi 5.1 ESXi ESXi510-
201406401-SG
ESXi 5.0 ESXi ESXi500-
201407401-SG
Workstation 10.x any 10.0.3
Workstation 9.x any 9.0.4
Fusion 6.x OSX 6.0.4
Fusion 5.x OSX 5.0.5
Player 6.x any 6.0.3
Player 5.x any 5.0.4
vCenter Chargeback Manager 2.5.x 2.6.0.1
Horizon Workspace Client 1.x OSX 1.8.2
Horizon Workspace Client 1.x Windows 1.8.2
Horizon View Client 2.x Android 3.0
Horizon View Client 2.x iOS 3.0
Horizon View Client 2.x OSX 3.0
Horizon View Client 2.x Windows 3.0
Horizon View Client 2.x WinStore 3.0
OVF Tool 3.5.1 3.5.2
OVF Tool 3.0.1 3.5.2
vCenter Operations Manager 5.8.x 5.8.2
vCenter Operations Manager 5.7.x 5.7.3
vCenter Support Assistant 5.5.1 5.5.1.1
vCD 5.5.1.x 5.5.1.2
vCD 5.1.x 5.1.3.1
vCenter Site Recovery Manager 5.5.x 5.5.1.1
vCenter Site Recovery Manager 5.1.x 5.1.2.1
vCenter Site Recovery Manager 5.0.3.x 5.0.3.2
vSphere Client 5.5 Windows 5.5u1b
vSphere Client 5.1 Windows 5.1u2a
vSphere Client 5.0 Windows 5.0u3a
Table 3
=======
The following table lists all affected clients running a
vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over a trusted or isolated network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server 5.5 any 5.5u1b
vCenter Server 5.1 any 5.1u2a
vCenter Server 5.0 any 5.0u3a
Update Manager 5.5 Windows 5.5u1b
vCenter Configuration
Manager (VCM) 5.6 5.7.2
ITBM Standard 1.0.1 1.1
ITBM Standard 1.0 1.1
Studio 2.6.0.0 patch pending
Usage Meter 3.3 3.3.1
vCenter Converter Standalone 5.5 5.5.2
vCenter Converter Standalone 5.1 5.1.1
vCloud Automation Center 6.0.x 6.0.1.2
VIX API 1.12 patch pending
vMA (Management Assistant) 5.5.01 patch pending
vSphere PowerCLI 5.x See VMware
KB 2082132
vSphere Data Protection 5.5.6 5.5.7
vSphere Data Protection 5.1.11 patch pending
vSphere Replication 5.5.1 5.5.1.1
vSphere Replication 5.6 5.8
vSphere SDK for Perl 5.5 5.5 Update 2
VDDK 5.5.x 5.5.2
VDDK 5.1.x 5.1.3
VDDK 5.0.x 5.0.4
4. Solution
Big Data Extensions 2.0.0
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-bde
ESXi 5.5, 5.1 and 5.0
----------------------------
Download:
https://www.vmware.com/patchmgr/findPatch.portal
Horizon Mirage Edge Gateway 4.4.3
---------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-horizon-mirage
vCD 5.5.1.2
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCSA 5.5u1b, 5.1u2a and 5.0u3a
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
Update Manager 5.5u1b
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
VDDK 5.x
----------------------------
Downloads and Documentation:
https://www.vmware.com/support/developer/vddk
vCenter Configuration Manager (VCM) 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download_vcm
vCenter Operations Manager 5.8 and 5.7.3
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere-ops-mgr
OVF Tool 3.5.2
--------------
Download:
https://www.vmware.com/support/developer/ovf/
vCenter Converter Standalone 5.5.2
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-converter
Horizon View 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon View 5.3 Feature Pack 3
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon Workspace Server 1.5 and 1.8.x
----------------------------
Release Notes and download:
http://kb.vmware.com/kb/2082181
Workstation
----------------------
https://www.vmware.com/go/downloadworkstation
Fusion
------------------
https://www.vmware.com/go/downloadfusion
VMware Player
------------------
https://www.vmware.com/go/downloadplayer
vCenter Server 5.1 Update 2a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1
vCenter Server 5.0 Update 3a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0
vCloud Networking and Security 5.5.2.1
------------------------------------
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255
vCloud Networking and Security 5.1.4.1
------------------------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131
NSX for Multi-Hypervisor, NSX for vSphere and NVP
-------------------------------------------------
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx
vCD 5.5.1.2 and vCD 5.1.3.1
---------------------------
Download link:
https://www.vmware.com/go/download-vcd-ns
VMware vCenter Chargeback Manager
---------------------------------
Download link:
https://www.vmware.com/go/download-chargeback
Converter Standalone 5.1.1
---------------------------
Download link:
https://www.vmware.com/go/download-converter
Usage Manager 3.3
-----------------
Downloads and Documentation:
https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter
vCenter Support Assistant
--------------------------
Downloads:
https://www.vmware.com/go/download-vsphere
Pivotal Web Server 5.4.1
------------------------
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214
vCloud Automation Center
--------------------------
Downloads:
https://www.vmware.com/go/download-vcac
vCenter Site Recovery Manager 5.5.1.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081861
vCenter Site Recovery Manager 5.1.2.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081860
vCenter Site Recovery Manager 5.0.3.2
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081859
vSphere Replication 5.8
-----------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId
=353
vSphere Replication 5.5.1.1
---------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2082666
ITBM Standard 1.1
-----------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
Release Notes:
https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-n
otes.html
vSphere SDK for Perl 5.5 Update 2
----------------------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&
rPId=6436
Release Notes:
https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-
58-release-notes.html
vSphere Data Protection 5.5.7
-----------------------------
Download:
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_7
Release Notes:
https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
https://www.openssl.org/news/secadv_20140605.txt
http://www.gopivotal.com/security/cve-2014-0224
VMware Knowledge Base Article 2082132
http://kb.vmware.com/kb/2082132
- -----------------------------------------------------------------------
6. Change Log
2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of
ESXi 5.5 updates on 2014-06-10
2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of
Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3,
vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
Manager 5.5u1b on 2014-06-12
2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of
ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17
2014-06-24 VMSA-2014-0006.3
Updated security advisory in conjunction with the release of
Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3,
vCenter Configuration Manager 5.7.2, vCenter
Converter Standalone 5.5.2, vCenter Operations
Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24
2014-07-01 VMSA-2014-0006.4
Updated security advisory in conjunction with the release of
ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
Horizon Workspace Server 1.5.x and 1.8.x updates, vCD
5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a,
vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
vCenter Chargeback Manager 2.6.0.1,
vCloud Networking and Security 5.5.2.1 and 5.1.4.1,
NSX for Multi-Hypervisor 4.1.3,
NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
NSX 6.0.5 for vSphere on 2014-07-01
2014-07-03 VMSA-2014-0006.5
Updated security advisory in conjunction with the release of
Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support
Assistant 5.5.1.1, on 2014-07-03
2014-07-08 VMSA-2014-0006.6
Updated security advisory in conjunction with the release of
vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1
on 2014-07-08
2014-07-10 VMSA-2014-0006.7
Updated security advisory in conjunction with the release of
vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
5.7.3 on 2014-07-10
2014-07-18 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.5.1.1 and
vSphere Replication 5.5.1.1 on 2014-07-17
2014-07-22 VMSA-2014-0006.9
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2
on 2014-07-22
2014-09-09 VMSA-2014-0006.10
Updated security advisory in conjunction with the release of
patches for ITBM Standard 1.1, vSphere Replication 5.8 and
vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric
Application Director has been removed from the table above since
it is not affected by this issue.
2014-10-09 VMSA-2014-0006.11
Updated security advisory in conjunction with the release of
vSphere Data Protection 5.5.7 on 2014-10-09
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUNwCgDEcm8Vbi9kMRAno4AKCqcmvs7IFFxZUXkUEJNTzdkEYpqwCg6Jpj
PAsVSEZzWJCaLAmMExh82cM=
=of/7
-----END PGP SIGNATURE-----
UPDATED VMSA-2014-0010.11 – VMware product updates address critical Bash security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2014-0010.11
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-10-09
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- ------------------------------------------------------------------------
1. Summary
VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present)
ESX 4.1 without patch ESX410-201410401-SG
ESX 4.0 without patch ESX400-201410401-SG
vCenter Server Appliance prior to 5.5 U2a
vCenter Server Appliance prior to 5.1 U2b
vCenter Server Appliance prior to 5.0 U3b
Horizon DaaS Platform prior to 6.1.1
Horizon DaaS Platform prior to 6.0.2
Horizon DaaS Platform prior to 5.4.3
Horizon Workspace 1.x, 2.x without patch
IT Business Management Suite prior to 1.1.0
IT Business Management Suite prior to 1.0.1
NSX for Multi-Hypervisor 4.2.x prior to 4.2.1
NSX for Multi-Hypervisor 4.1.x prior to 4.1.4
NSX for Multi-Hypervisor 4.0.x prior to 4.0.5
NSX for vSphere 6.1.x prior to 6.1.1
NSX for vSphere 6.0.x prior to 6.0.7
NVP 3.x prior to 3.2.4
vCenter Converter Standalone 5.5.x prior to 5.5.3
vCenter Converter Standalone 5.1.x prior to 5.1.2
vCenter Hyperic Server prior to 5.8.3
vCenter Hyperic Server 5.8.2 without SP3
vCenter Hyperic Server 5.8.1 without SP3
vCenter Hyperic Server 5.8.0 without SP2
vCenter Hyperic Server prior to 5.7.2
vCenter Hyperic Server 5.7.1 without SP1
vCenter Hyperic Server prior to 5.0.3
vCenter Hyperic Server 5.0.2 without SP1
vCenter Infrastructure Navigator prior to 5.8.3
vCenter Infrastructure Navigator prior to 5.7.1
vCenter Infrastructure Navigator prior to 2.0.1
vCenter Log Insight prior to 2.0.5
vCenter Log Insight prior to 2.0U1
vCenter Log Insight prior to 1.5.0U1
vCenter Operations Manager 5.x without patch
vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1
vCenter Orchestrator Appliance 5.1.x, 4.x without patch
vCenter Site Recovery Manager prior to 5.5.1.3
vCenter Site Recovery Manager prior to 5.1.2.2
vCenter Support Assistant without patch
vCloud Application Director 5.x, 6.x without patch
vCloud Automation Center 6.x without patch
vCloud Automation Center Application Services 6.x without patch
vCloud Director Appliance prior to 5.5.1.3
vCloud Connector prior to 2.6.1
vCloud Networking and Security prior to 5.5.3.1
vCloud Networking and Security prior to 5.1.4.3
vCloud Usage Meter prior to 3.3.2
vFabric Postgres prior to 9.3.5.1
vFabric Postgres prior to 9.2.9.1
vFabric Postgres prior to 9.1.14.1
VMware Application Dependency Planner prior to 2.0.0.1
View Planner prior to 3.0.1.1
VMware Data Recovery prior to 2.0.4
VMware HealthAnalyzer prior to 5.0.3.1
VMware Mirage Gateway prior to 5.1.1
VMware Socialcast On Premise prior to 2-116-1
VMware Socialcast On Premise prior to 2-112-1
vSphere App HA prior to 1.1.1
vSphere App HA 1.1.0 without patch
vSphere Big Data Extensions 2.x without patch
vSphere Data Protection 5.x without patch
vSphere Management Assistant 5.5.x without 5.5 EP1
vSphere Management Assistant 5.0.x without 5.0 EP1
vSphere Replication prior to 5.8.0.1
vSphere Replication prior to 5.6.0.2
vSphere Replication prior to 5.5.1.3
vSphere Replication prior to 5.1.2.2
vSphere Storage Appliance prior to 5.5.2
vSphere Storage Appliance 5.1.x without patch
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
to these issues.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell.
ESX has an affected version of the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system. If the operating system has a vulnerable
version of Bash, the Bash security vulnerability might be
exploited through the product. VMware recommends that customers
contact their operating system vendor for a patch.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
For several products, both a patch and a product update are
available.
In general, if a patch is made available, the patch must be applied
to the latest version of the appliance.
Customers should refer to the specific product Knowledge Base
articles
listed in Section 4 to understand the type of remediation available
and
applicable appliance version numbers.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX ESX410-201410401-SG*
ESX 4.0 ESX ESX400-201410401-SG*
* VMware has made VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b,
5.0 U3b
Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2,
5.4.3
Horizon Workspace 1.x, 2.x Linux See Section 4
IT Business Management Suite 1.x Linux 1.1.0, 1.0.1
NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4
4.0.5
NSX for vSphere 6.x Linux 6.1.1, 6.0.7
NVP 3.x Linux 3.2.4
vCenter Application Discovery 7.x Linux Patch Pending
Manager
vCenter Converter Standalone 5.x Linux 5.5.3, 5.1.2**
vCenter Hyperic Server* 5.x Linux 5.8.3, 5.8.2-SP3,
5.8.1-SP3,
5.8.0-SP2,
5.7.2, 5.7.1-SP1,
5.0.3, 5.0.2-SP1
vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1,
2.0.1
vCenter Log Insight* 1.x, 2.x Linux 2.0.5, 2.0U1,
1.5.0U1
vCenter Operations Manager 5.x Linux See Section 4
vCenter Orchestrator Appliance* 4.x, 5.x Linux 5.5.2.1, 5.1.2,
4.2.3 See Section
4
vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2,
5.0.x**
vCenter Support Assistant 5.x Linux See Section 4
vCloud Application Director 5.x, 6.x Linux See Section 4
vCloud Automation Center 6.x Linux See Section 4
vCloud Automation Center
Application Services 6.x Linux See Section 4
vCloud Director Appliance 5.x Linux 5.5.1.3
vCloud Connector 2.x Linux 2.6.1
vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3
vCloud Usage Meter 3.x Linux 3.3.2
vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1,
9.1.14.1
View Planner 3.x Linux 3.0.1.1
VMware Application Dependency x.x Linux 2.0.0.1
Planner
VMware Data Recovery 2.x Linux 2.0.4
VMware HealthAnalyzer 5.x Linux 5.0.3.1
VMware Mirage Gateway 5.x Linux 5.1.1
VMware Socialcast On Premise 2.x Linux 2-116-1,
2-112-1
VMware Studio 2.x Linux Patch Pending
VMware Workbench 3.0.x Linux Patch Pending
vSphere App HA* 1.x Linux 1.1.1
vSphere Big Data Extensions 2.x Linux See Section 4
vSphere Data Protection 5.x Linux See Section 4
vSphere Management Assistant 5.x Linux 5.5 EP1, 5.0 EP1
vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2,
5.5.1.3, 5.1.2.2
vSphere Storage Appliance* 5.x Linux 5.5.2, 5.1.3
See Section 4
* This product has patches available to update bash manually as well as
a
full installation that includes the bash fix for some versions. Either
installing the patch or upgrading the appliance will remediate the
"shellshock" vulnerability. See documentation in Section 4 for details.
** This product includes Virtual Appliances that will be updated, the
product itself is not a Virtual Appliance.
4. Solution
ESX
---
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2090859
http://kb.vmware.com/kb/2090853
vCenter Server Appliance
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2
(scroll down to 5.5 Update 2a Appliance)
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS
P510-VC-51U2A
(scroll down to 5.1 Update 2b Appliance)
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3
A
(scroll down to 5.0 Update 3b Appliance)
Documentation:
http://kb.vmware.com/kb/2091085
http://kb.vmware.com/kb/2091018
http://kb.vmware.com/kb/2091017
Horizon DaaS Platform
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr
oup=HORIZON-DAAS-610-BIN
https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO
N-DAAS-602
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398
Documentation:
http://kb.vmware.com/kb/2091183
Horizon Workspace
-----------------
Downloads:
(Scroll down to the relevant download)
Workspace Portal 2.1.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNP210
Workspace Portal 2.0.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNWS200
Horizon Workspace 1.8.2 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS182
Horizon Workspace 1.8.1 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS181
Horizon Workspace 1.8.0 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS180
Horizon Workspace 1.5.2 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS152
Horizon Workspace 1.5.1 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS151
Horizon Workspace 1.5.0 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS150
Documentation:
http://kb.vmware.com/kb/2091067
IT Business Management Suite
----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product
Id=385&rPId=6333
Documentation:
http://kb.vmware.com/kb/2091014
http://kb.vmware.com/kb/2091013
NSX for Multi-Hypervisor
------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-MH-421
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-MH-414
Note: For 4.0.5 refer to http://www.vmware.com/products/nsx
Documentation:
http://kb.vmware.com/kb/2091179
http://kb.vmware.com/kb/2091205
NSX for vSphere
---------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-V-611
https://my.vmware.com/web/vmware/get-download?downloadGroup=NSX-V-607
Documentation:
http://kb.vmware.com/kb/2091213
http://kb.vmware.com/kb/2091216
NVP
---
Downloads and Documentation:
http://www.vmware.com/products/nsx
vCenter Converter Standalone
----------------------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vcenter_converter_standalone/5_5
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vcenter_converter_standalone/5_1
Documentation:
http://kb.vmware.com/kb/2091104
http://kb.vmware.com/kb/2091102
vCenter Hyperic Server
----------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_582_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_581_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_580_SERVER
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572
https://my.vmware.com/web/vmware/details?productId=346&rPId=6849&downloadGr
oup=VFHQ_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER
https://my.vmware.com/web/vmware/details?productId=311&rPId=6848&downloadGr
oup=VFHQ_502
Documentation:
http://kb.vmware.com/kb/2091109
http://kb.vmware.com/kb/2091210
http://kb.vmware.com/kb/2091372
http://kb.vmware.com/kb/2091373
http://kb.vmware.com/kb/2091206
http://kb.vmware.com/kb/2091223
http://kb.vmware.com/kb/2091207
http://kb.vmware.com/kb/2091224
vCenter Infrastructure Navigator
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201
Documentation:
http://kb.vmware.com/kb/2091095
http://kb.vmware.com/kb/2091093
http://kb.vmware.com/kb/2091108
vCenter Log Insight
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA205&productId=
412&rPId=6888
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4
12&rPId=5804
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA15&productId=3
86&rPId=4787
Documentation:
http://kb.vmware.com/kb/2091622
http://kb.vmware.com/kb/2091065
vCenter Operations Manager
--------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-583-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-582-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-581-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-580-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-573-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-572-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-571-STD
https://my.vmware.com/web/vmware/details?productId=332&rPId=6743&downloadGr
oup=VCOPS-570-STD
Documentation:
http://kb.vmware.com/kb/2091083
http://kb.vmware.com/kb/2091002 (5.7.0, 5.7.1, 5.7.2, 5.7.3)
http://kb.vmware.com/kb/2091401 (5.8.0, 5.8.1, 5.8.2)
vCenter Orchestrator Appliance
------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ
ctId=353&rPId=6655
Documentation:
http://kb.vmware.com/kb/2091036
vCenter Site Recovery Manager
-----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35
7&rPId=6636
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29
1&rPId=6631
Documentation:
http://kb.vmware.com/kb/2091038
http://kb.vmware.com/kb/2091039
http://kb.vmware.com/kb/2091037 (5.0.x)
vCenter Support Assistant
-------------------------
Downloads and Documentation:
http://kb.vmware.com/kb/2091112
vCloud Application Director
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc
tId=383&rPId=6216
https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod
uctId=345&rPId=3789
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Automation Center
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4
47&rPId=6501
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId=
383&rPId=6216
Documentation:
http://kb.vmware.com/kb/2091012
vCloud Automation Center Application Services
---------------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId
=447&rPId=6501
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Director Appliance
-------------------------
Downloads:
www.vmware.com/go/try-vcloud-director
Documentation:
http://kb.vmware.com/kb/2091071
vCloud Connector
----------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA
Documentation:
http://kb.vmware.com/kb/2091045
vCloud Networking and Security
------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCNS5531
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCNS5143
Documentation:
http://kb.vmware.com/kb/2091218
http://kb.vmware.com/kb/2091217
vCloud Usage Meter
------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332
Documentation:
http://kb.vmware.com/kb/2091184
vFabric Postgres
----------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab
ric_postgres/9_3
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_2
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_1
Documentation:
http://kb.vmware.com/kb/2091055
View Planner
------------
View Planner Benchmark Mode
Downloads:
https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P
LAN-300
Documentation:
http://kb.vmware.com/kb/2091281
View Planner Flexible Mode
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUza
VMware Application Dependency Planner
-------------------------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzQ
VMware Data Recovery
--------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204
Documentation:
http://kb.vmware.com/kb/2091015
VMware HealthAnalyzer
---------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzV
VMware Mirage Gateway
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId
=407&rPId=6565
(See VMware Mirage Gateway Software)
Documentation:
http://kb.vmware.com/kb/2091090
VMware Socialcast On Premise
----------------------------
Downloads and Doumentation:
Please contact Global Support Services via My VMware
vSphere App HA
--------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111
https://my.vmware.com/web/vmware/details?downloadGroup=APPHA-110&productId=
408&rPId=5635
Documentation:
http://kb.vmware.com/kb/2091087
http://kb.vmware.com/kb/2091371
vSphere Big Data Extensions
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=BDE_200_GA&productId
=353&rPId=6657
Documentation and Release Notes:
http://kb.vmware.com/kb/2091050
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-20-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-11-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-10-release-notes.html#resolvedissues
vSphere Data Protection
-----------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35
3&rPId=6654
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_6
https://my.vmware.com/web/vmware/details?downloadGroup=VDPADV51_21&productI
d=330&rPId=3818
https://my.vmware.com/web/vmware/details?downloadGroup=VDP51_11&productId=2
85
Documentation:
http://kb.vmware.com/kb/2091341
vSphere Management Assistant
----------------------------
Downloads:
Download available via online vMA update mechanism
Documentation:
http://kb.vmware.com/kb/2079150
http://kb.vmware.com/kb/2079151
vSphere Replication
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353
&rPId=6654
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602
https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr
oup=VR5513
https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285
&rPId=6779
Documentation:
http://kb.vmware.com/kb/2091019
http://kb.vmware.com/kb/2091031
http://kb.vmware.com/kb/2091033
http://kb.vmware.com/kb/2091035
vSphere Storage Appliance
-------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc
tId=354&rPId=6585
https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc
tId=297&rPId=3752
Documentation:
http://kb.vmware.com/kb/2091000
http://kb.vmware.com/kb/2091086
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1
Updated advisory in conjunction with the release of ESX 4.x patches,
vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director
Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway
5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added
CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be
mitigated.
2014-10-01 VMSA-2014-0010.2
Updated advisory in conjunction with the release of Horizon Workspace
patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter
Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and
5.1.2.2, vCloud Application Director patches, vCloud Automation Center
patches, vCloud Automation Center Application Services patches, vCloud
Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and
9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on
2014-10-01.
2014-10-02 VMSA-2014-0010.3
Updated advisory in conjunction with the release of vCenter Hyperic
Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3,
5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support
Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant
5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02.
2014-10-02 VMSA-2014-0010.4
Updated advisory in conjunction with the release of Horizon DaaS
Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance
5.5.2.1,
vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere
Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5
Updated advisory in conjunction with the release of vCloud Networking
and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6
Updated advisory in conjunction with the release of NSX for
Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and
6.0.7,
NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7
Updated advisory in conjunction with the release of View Planner
Benchmark
3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8
Updated advisory in conjunction with the release of vCenter Hyperic
Server
5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log
Insight 1.5.0U1, View Planner Flexible 3.0.1.1,VMware Application
Dependency
Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, vSphere App HA 1.1.0
patch
on 2014-10-06.
2014-10-07 VMSA-2014-0010.9
Updated advisory in conjunction with the release of vCenter Operations
Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and
vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10
Updated advisory in conjunction with the release of vCenter Operations
Manager patches on 2014-10-08.
2014-10-09 VMSA-2014-0010.11
Updated advisory in conjunction with the release of vCenter Converter
Standalone 5.5.3 and 5.1.2, and vCenter Log Insight 2.0.5 on 2014-10-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFUNsLuDEcm8Vbi9kMRAhiMAJsGEd/mMSkpxL0NGTuJz3sQzXgJMACgtjE4
kHYgUU/jM2GoUH6K7N1JDxg=
=+GlN
-----END PGP SIGNATURE-----
UPDATED VMSA-2014-0010.10 – VMware product updates address critical Bash security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2014-0010.10
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-10-08
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- ------------------------------------------------------------------------
1. Summary
VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present)
ESX 4.1 without patch ESX410-201410401-SG
ESX 4.0 without patch ESX400-201410401-SG
vCenter Server Appliance prior to 5.5 U2a
vCenter Server Appliance prior to 5.1 U2b
vCenter Server Appliance prior to 5.0 U3b
Horizon DaaS Platform prior to 6.1.1
Horizon DaaS Platform prior to 6.0.2
Horizon DaaS Platform prior to 5.4.3
Horizon Workspace 1.x, 2.x without patch
IT Business Management Suite prior to 1.1.0
IT Business Management Suite prior to 1.0.1
NSX for Multi-Hypervisor 4.2.x prior to 4.2.1
NSX for Multi-Hypervisor 4.1.x prior to 4.1.4
NSX for Multi-Hypervisor 4.0.x prior to 4.0.5
NSX for vSphere 6.1.x prior to 6.1.1
NSX for vSphere 6.0.x prior to 6.0.7
NVP 3.x prior to 3.2.4
vCenter Hyperic Server prior to 5.8.3
vCenter Hyperic Server 5.8.2 without SP3
vCenter Hyperic Server 5.8.1 without SP3
vCenter Hyperic Server 5.8.0 without SP2
vCenter Hyperic Server prior to 5.7.2
vCenter Hyperic Server 5.7.1 without SP1
vCenter Hyperic Server prior to 5.0.3
vCenter Hyperic Server 5.0.2 without SP1
vCenter Infrastructure Navigator prior to 5.8.3
vCenter Infrastructure Navigator prior to 5.7.1
vCenter Infrastructure Navigator prior to 2.0.1
vCenter Log Insight prior to 2.0U1
vCenter Log Insight prior to 1.5.0U1
vCenter Operations Manager 5.x without patch
vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1
vCenter Orchestrator Appliance 5.1.x, 4.x without patch
vCenter Site Recovery Manager prior to 5.5.1.3
vCenter Site Recovery Manager prior to 5.1.2.2
vCenter Support Assistant without patch
vCloud Application Director 5.x, 6.x without patch
vCloud Automation Center 6.x without patch
vCloud Automation Center Application Services 6.x without patch
vCloud Director Appliance prior to 5.5.1.3
vCloud Connector prior to 2.6.1
vCloud Networking and Security prior to 5.5.3.1
vCloud Networking and Security prior to 5.1.4.3
vCloud Usage Meter prior to 3.3.2
vFabric Postgres prior to 9.3.5.1
vFabric Postgres prior to 9.2.9.1
vFabric Postgres prior to 9.1.14.1
VMware Application Dependency Planner prior to 2.0.0.1
View Planner prior to 3.0.1.1
VMware Data Recovery prior to 2.0.4
VMware HealthAnalyzer prior to 5.0.3.1
VMware Mirage Gateway prior to 5.1.1
VMware Socialcast On Premise prior to 2-116-1
VMware Socialcast On Premise prior to 2-112-1
vSphere App HA prior to 1.1.1
vSphere App HA 1.1.0 without patch
vSphere Big Data Extensions 2.x without patch
vSphere Data Protection 5.x without patch
vSphere Management Assistant 5.5.x without 5.5 EP1
vSphere Management Assistant 5.0.x without 5.0 EP1
vSphere Replication prior to 5.8.0.1
vSphere Replication prior to 5.6.0.2
vSphere Replication prior to 5.5.1.3
vSphere Replication prior to 5.1.2.2
vSphere Storage Appliance prior to 5.5.2
vSphere Storage Appliance 5.1.x without patch
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
to these issues.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell.
ESX has an affected version of the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system. If the operating system has a vulnerable
version of Bash, the Bash security vulnerability might be
exploited through the product. VMware recommends that customers
contact their operating system vendor for a patch.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
For several products, both a patch and a product update are
available.
In general, if a patch is made available, the patch must be applied
to the latest version of the appliance.
Customers should refer to the specific product Knowledge Base
articles
listed in Section 4 to understand the type of remediation available
and
applicable appliance version numbers.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX ESX410-201410401-SG*
ESX 4.0 ESX ESX400-201410401-SG*
* VMware has made VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b,
5.0 U3b
Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2,
5.4.3
Horizon Workspace 1.x, 2.x Linux See Section 4
IT Business Management Suite 1.x Linux 1.1.0, 1.0.1
NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4
4.0.5
NSX for vSphere 6.x Linux 6.1.1, 6.0.7
NVP 3.x Linux 3.2.4
vCenter Application Discovery 7.x Linux Patch Pending
Manager
vCenter Converter Standalone 5.x Linux Patch Pending**
vCenter Hyperic Server* 5.x Linux 5.8.3, 5.8.2-SP3,
5.8.1-SP3,
5.8.0-SP2,
5.7.2, 5.7.1-SP1,
5.0.3, 5.0.2-SP1
vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1,
2.0.1
vCenter Log Insight 1.x, 2.x Linux 2.0 U1, 1.5.0U1
vCenter Operations Manager 5.x Linux See Section 4
vCenter Orchestrator Appliance* 4.x, 5.x Linux 5.5.2.1, 5.1.2,
4.2.3 See Section
4
vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2,
5.0.x**
vCenter Support Assistant 5.x Linux See Section 4
vCloud Application Director 5.x, 6.x Linux See Section 4
vCloud Automation Center 6.x Linux See Section 4
vCloud Automation Center
Application Services 6.x Linux See Section 4
vCloud Director Appliance 5.x Linux 5.5.1.3
vCloud Connector 2.x Linux 2.6.1
vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3
vCloud Usage Meter 3.x Linux 3.3.2
vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1,
9.1.14.1
View Planner 3.x Linux 3.0.1.1
VMware Application Dependency x.x Linux 2.0.0.1
Planner
VMware Data Recovery 2.x Linux 2.0.4
VMware HealthAnalyzer 5.x Linux 5.0.3.1
VMware Mirage Gateway 5.x Linux 5.1.1
VMware Socialcast On Premise 2.x Linux 2-116-1,
2-112-1
VMware Studio 2.x Linux Patch Pending
VMware Workbench 3.0.x Linux Patch Pending
vSphere App HA* 1.x Linux 1.1.1
vSphere Big Data Extensions 2.x Linux See Section 4
vSphere Data Protection 5.x Linux See Section 4
vSphere Management Assistant 5.x Linux 5.5 EP1, 5.0 EP1
vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2,
5.5.1.3, 5.1.2.2
vSphere Storage Appliance* 5.x Linux 5.5.2, 5.1.3
See Section 4
* This product has patches available to update bash manually as well as
a
full installation that includes the bash fix for some versions. Either
installing the patch or upgrading the appliance will remediate the
"shellshock" vulnerability. See documentation in Section 4 for details.
** This product includes Virtual Appliances that will be updated, the
product itself is not a Virtual Appliance.
4. Solution
ESX
---
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2090859
http://kb.vmware.com/kb/2090853
vCenter Server Appliance
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2
(scroll down to 5.5 Update 2a Appliance)
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS
P510-VC-51U2A
(scroll down to 5.1 Update 2b Appliance)
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3
A
(scroll down to 5.0 Update 3b Appliance)
Documentation:
http://kb.vmware.com/kb/2091085
http://kb.vmware.com/kb/2091018
http://kb.vmware.com/kb/2091017
Horizon DaaS Platform
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr
oup=HORIZON-DAAS-610-BIN
https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO
N-DAAS-602
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398
Documentation:
http://kb.vmware.com/kb/2091183
Horizon Workspace
-----------------
Downloads:
(Scroll down to the relevant download)
Workspace Portal 2.1.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNP210
Workspace Portal 2.0.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNWS200
Horizon Workspace 1.8.2 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS182
Horizon Workspace 1.8.1 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS181
Horizon Workspace 1.8.0 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS180
Horizon Workspace 1.5.2 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS152
Horizon Workspace 1.5.1 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS151
Horizon Workspace 1.5.0 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS150
Documentation:
http://kb.vmware.com/kb/2091067
IT Business Management Suite
----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product
Id=385&rPId=6333
Documentation:
http://kb.vmware.com/kb/2091014
http://kb.vmware.com/kb/2091013
NSX for Multi-Hypervisor
------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-421
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-414
Note: For 4.0.5 refer to http://www.vmware.com/products/nsx
Documentation:
http://kb.vmware.com/kb/2091179
http://kb.vmware.com/kb/2091205
NSX for vSphere
---------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-611
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-607
Documentation:
http://kb.vmware.com/kb/2091213
http://kb.vmware.com/kb/2091216
NVP
---
Downloads and Documentation:
http://www.vmware.com/products/nsx
vCenter Hyperic Server
----------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_582_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_581_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_580_SERVER
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572
https://my.vmware.com/web/vmware/details?productId=346&rPId=6849&downloadGr
oup=VFHQ_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER
https://my.vmware.com/web/vmware/details?productId=311&rPId=6848&downloadGr
oup=VFHQ_502
Documentation:
http://kb.vmware.com/kb/2091109
http://kb.vmware.com/kb/2091210
http://kb.vmware.com/kb/2091372
http://kb.vmware.com/kb/2091373
http://kb.vmware.com/kb/2091206
http://kb.vmware.com/kb/2091223
http://kb.vmware.com/kb/2091207
http://kb.vmware.com/kb/2091224
vCenter Infrastructure Navigator
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201
Documentation:
http://kb.vmware.com/kb/2091095
http://kb.vmware.com/kb/2091093
http://kb.vmware.com/kb/2091108
vCenter Log Insight
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4
12&rPId=5804
https://my.vmware.com/group/vmware/details?downloadGroup=STRATA15&productId
=386&rPId=4787
Documentation:
http://kb.vmware.com/kb/2091065
http://kb.vmware.com/kb/2091065
vCenter Operations Manager
--------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-583-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-582-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-581-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-580-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-573-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-572-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-571-STD
https://my.vmware.com/web/vmware/details?productId=332&rPId=6743&downloadGr
oup=VCOPS-570-STD
Documentation:
http://kb.vmware.com/kb/2091083
http://kb.vmware.com/kb/2091002 (5.7.0, 5.7.1, 5.7.2, 5.7.3)
http://kb.vmware.com/kb/2091401 (5.8.0, 5.8.1, 5.8.2)
vCenter Orchestrator Appliance
------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ
ctId=353&rPId=6655
Documentation:
http://kb.vmware.com/kb/2091036
vCenter Site Recovery Manager
-----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35
7&rPId=6636
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29
1&rPId=6631
Documentation:
http://kb.vmware.com/kb/2091038
http://kb.vmware.com/kb/2091039
http://kb.vmware.com/kb/2091037 (5.0.x)
vCenter Support Assistant
-------------------------
Downloads and Documentation:
http://kb.vmware.com/kb/2091112
vCloud Application Director
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc
tId=383&rPId=6216
https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod
uctId=345&rPId=3789
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Automation Center
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4
47&rPId=6501
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId=
383&rPId=6216
Documentation:
http://kb.vmware.com/kb/2091012
vCloud Automation Center Application Services
---------------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId
=447&rPId=6501
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Director Appliance
-------------------------
Downloads:
www.vmware.com/go/try-vcloud-director
Documentation:
http://kb.vmware.com/kb/2091071
vCloud Connector
----------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA
Documentation:
http://kb.vmware.com/kb/2091045
vCloud Networking and Security
------------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5531
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5143
Documentation:
http://kb.vmware.com/kb/2091218
http://kb.vmware.com/kb/2091217
vCloud Usage Meter
------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332
Documentation:
http://kb.vmware.com/kb/2091184
vFabric Postgres
----------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab
ric_postgres/9_3
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_2
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_1
Documentation:
http://kb.vmware.com/kb/2091055
View Planner
------------
View Planner Benchmark Mode
Downloads:
https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P
LAN-300
Documentation:
http://kb.vmware.com/kb/2091281
View Planner Flexible Mode
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUza
VMware Application Dependency Planner
-------------------------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzQ
VMware Data Recovery
--------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204
Documentation:
http://kb.vmware.com/kb/2091015
VMware HealthAnalyzer
---------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzV
VMware Mirage Gateway
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId
=407&rPId=6565
(See VMware Mirage Gateway Software)
Documentation:
http://kb.vmware.com/kb/2091090
VMware Socialcast On Premise
----------------------------
Downloads and Doumentation:
Please contact Global Support Services via My VMware
vSphere App HA
--------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111
https://my.vmware.com/web/vmware/details?downloadGroup=APPHA-110&productId=
408&rPId=5635
Documentation:
http://kb.vmware.com/kb/2091087
http://kb.vmware.com/kb/2091371
vSphere Big Data Extensions
---------------------------
Downloads:
https://my.vmware.com/group/vmware/details?downloadGroup=BDE_200_GA&product
Id=353&rPId=6657
Documentation and Release Notes:
http://kb.vmware.com/kb/2091050
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-20-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-11-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-10-release-notes.html#resolvedissues
vSphere Data Protection
-----------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35
3&rPId=6654
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_6
https://my.vmware.com/web/vmware/details?downloadGroup=VDPADV51_21&productI
d=330&rPId=3818
https://my.vmware.com/web/vmware/details?downloadGroup=VDP51_11&productId=2
85
Documentation:
http://kb.vmware.com/kb/2091341
vSphere Management Assistant
----------------------------
Downloads:
Download available via online vMA update mechanism
Documentation:
http://kb.vmware.com/kb/2079150
http://kb.vmware.com/kb/2079151
vSphere Replication
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353
&rPId=6654
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602
https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr
oup=VR5513
https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285
&rPId=6779
Documentation:
http://kb.vmware.com/kb/2091019
http://kb.vmware.com/kb/2091031
http://kb.vmware.com/kb/2091033
http://kb.vmware.com/kb/2091035
vSphere Storage Appliance
-------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc
tId=354&rPId=6585
https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc
tId=297&rPId=3752
Documentation:
http://kb.vmware.com/kb/2091000
http://kb.vmware.com/kb/2091086
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1
Updated advisory in conjunction with the release of ESX 4.x patches,
vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director
Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway
5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added
CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be
mitigated.
2014-10-01 VMSA-2014-0010.2
Updated advisory in conjunction with the release of Horizon Workspace
patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter
Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and
5.1.2.2, vCloud Application Director patches, vCloud Automation Center
patches, vCloud Automation Center Application Services patches, vCloud
Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and
9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on
2014-10-01.
2014-10-02 VMSA-2014-0010.3
Updated advisory in conjunction with the release of vCenter Hyperic
Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3,
5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support
Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant
5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02.
2014-10-02 VMSA-2014-0010.4
Updated advisory in conjunction with the release of Horizon DaaS
Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance
5.5.2.1,
vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere
Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5
Updated advisory in conjunction with the release of vCloud Networking
and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6
Updated advisory in conjunction with the release of NSX for
Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and
6.0.7,
NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7
Updated advisory in conjunction with the release of View Planner
Benchmark
3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8
Updated advisory in conjunction with the release of vCenter Hyperic
Server
5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log
Insight 1.5.0U1, View Planner Flexible 3.0.1.1,VMware Application
Dependency
Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, vSphere App HA 1.1.0
patch
on 2014-10-06.
2014-10-07 VMSA-2014-0010.9
Updated advisory in conjunction with the release of vCenter Operations
Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and
vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10
Updated advisory in conjunction with the release of vCenter Operations
Manager patches on 2014-10-08.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFUNbWVDEcm8Vbi9kMRAogkAJ49DaHlVNWhTylbJrPBnF+GGZ7gmQCgniZ7
e4DPUDqPTVQf+3XltghWbqQ=
=pJa3
-----END PGP SIGNATURE-----
UPDATED VMSA-2014-0010.10 – VMware product updates address critical Bash security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2014-0010.10
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-10-08
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- ------------------------------------------------------------------------
1. Summary
VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present)
ESX 4.1 without patch ESX410-201410401-SG
ESX 4.0 without patch ESX400-201410401-SG
vCenter Server Appliance prior to 5.5 U2a
vCenter Server Appliance prior to 5.1 U2b
vCenter Server Appliance prior to 5.0 U3b
Horizon DaaS Platform prior to 6.1.1
Horizon DaaS Platform prior to 6.0.2
Horizon DaaS Platform prior to 5.4.3
Horizon Workspace 1.x, 2.x without patch
IT Business Management Suite prior to 1.1.0
IT Business Management Suite prior to 1.0.1
NSX for Multi-Hypervisor 4.2.x prior to 4.2.1
NSX for Multi-Hypervisor 4.1.x prior to 4.1.4
NSX for Multi-Hypervisor 4.0.x prior to 4.0.5
NSX for vSphere 6.1.x prior to 6.1.1
NSX for vSphere 6.0.x prior to 6.0.7
NVP 3.x prior to 3.2.4
vCenter Hyperic Server prior to 5.8.3
vCenter Hyperic Server 5.8.2 without SP3
vCenter Hyperic Server 5.8.1 without SP3
vCenter Hyperic Server 5.8.0 without SP2
vCenter Hyperic Server prior to 5.7.2
vCenter Hyperic Server 5.7.1 without SP1
vCenter Hyperic Server prior to 5.0.3
vCenter Hyperic Server 5.0.2 without SP1
vCenter Infrastructure Navigator prior to 5.8.3
vCenter Infrastructure Navigator prior to 5.7.1
vCenter Infrastructure Navigator prior to 2.0.1
vCenter Log Insight prior to 2.0U1
vCenter Log Insight prior to 1.5.0U1
vCenter Operations Manager 5.x without patch
vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1
vCenter Orchestrator Appliance 5.1.x, 4.x without patch
vCenter Site Recovery Manager prior to 5.5.1.3
vCenter Site Recovery Manager prior to 5.1.2.2
vCenter Support Assistant without patch
vCloud Application Director 5.x, 6.x without patch
vCloud Automation Center 6.x without patch
vCloud Automation Center Application Services 6.x without patch
vCloud Director Appliance prior to 5.5.1.3
vCloud Connector prior to 2.6.1
vCloud Networking and Security prior to 5.5.3.1
vCloud Networking and Security prior to 5.1.4.3
vCloud Usage Meter prior to 3.3.2
vFabric Postgres prior to 9.3.5.1
vFabric Postgres prior to 9.2.9.1
vFabric Postgres prior to 9.1.14.1
VMware Application Dependency Planner prior to 2.0.0.1
View Planner prior to 3.0.1.1
VMware Data Recovery prior to 2.0.4
VMware HealthAnalyzer prior to 5.0.3.1
VMware Mirage Gateway prior to 5.1.1
VMware Socialcast On Premise prior to 2-116-1
VMware Socialcast On Premise prior to 2-112-1
vSphere App HA prior to 1.1.1
vSphere App HA 1.1.0 without patch
vSphere Big Data Extensions 2.x without patch
vSphere Data Protection 5.x without patch
vSphere Management Assistant 5.5.x without 5.5 EP1
vSphere Management Assistant 5.0.x without 5.0 EP1
vSphere Replication prior to 5.8.0.1
vSphere Replication prior to 5.6.0.2
vSphere Replication prior to 5.5.1.3
vSphere Replication prior to 5.1.2.2
vSphere Storage Appliance prior to 5.5.2
vSphere Storage Appliance 5.1.x without patch
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
to these issues.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell.
ESX has an affected version of the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system. If the operating system has a vulnerable
version of Bash, the Bash security vulnerability might be
exploited through the product. VMware recommends that customers
contact their operating system vendor for a patch.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
For several products, both a patch and a product update are
available.
In general, if a patch is made available, the patch must be applied
to the latest version of the appliance.
Customers should refer to the specific product Knowledge Base
articles
listed in Section 4 to understand the type of remediation available
and
applicable appliance version numbers.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX ESX410-201410401-SG*
ESX 4.0 ESX ESX400-201410401-SG*
* VMware has made VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b,
5.0 U3b
Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2,
5.4.3
Horizon Workspace 1.x, 2.x Linux See Section 4
IT Business Management Suite 1.x Linux 1.1.0, 1.0.1
NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4
4.0.5
NSX for vSphere 6.x Linux 6.1.1, 6.0.7
NVP 3.x Linux 3.2.4
vCenter Application Discovery 7.x Linux Patch Pending
Manager
vCenter Converter Standalone 5.x Linux Patch Pending**
vCenter Hyperic Server* 5.x Linux 5.8.3, 5.8.2-SP3,
5.8.1-SP3,
5.8.0-SP2,
5.7.2, 5.7.1-SP1,
5.0.3, 5.0.2-SP1
vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1,
2.0.1
vCenter Log Insight 1.x, 2.x Linux 2.0 U1, 1.5.0U1
vCenter Operations Manager 5.x Linux See Section 4
vCenter Orchestrator Appliance* 4.x, 5.x Linux 5.5.2.1, 5.1.2,
4.2.3 See Section
4
vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2,
5.0.x**
vCenter Support Assistant 5.x Linux See Section 4
vCloud Application Director 5.x, 6.x Linux See Section 4
vCloud Automation Center 6.x Linux See Section 4
vCloud Automation Center
Application Services 6.x Linux See Section 4
vCloud Director Appliance 5.x Linux 5.5.1.3
vCloud Connector 2.x Linux 2.6.1
vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3
vCloud Usage Meter 3.x Linux 3.3.2
vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1,
9.1.14.1
View Planner 3.x Linux 3.0.1.1
VMware Application Dependency x.x Linux 2.0.0.1
Planner
VMware Data Recovery 2.x Linux 2.0.4
VMware HealthAnalyzer 5.x Linux 5.0.3.1
VMware Mirage Gateway 5.x Linux 5.1.1
VMware Socialcast On Premise 2.x Linux 2-116-1,
2-112-1
VMware Studio 2.x Linux Patch Pending
VMware Workbench 3.0.x Linux Patch Pending
vSphere App HA* 1.x Linux 1.1.1
vSphere Big Data Extensions 2.x Linux See Section 4
vSphere Data Protection 5.x Linux See Section 4
vSphere Management Assistant 5.x Linux 5.5 EP1, 5.0 EP1
vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2,
5.5.1.3, 5.1.2.2
vSphere Storage Appliance* 5.x Linux 5.5.2, 5.1.3
See Section 4
* This product has patches available to update bash manually as well as
a
full installation that includes the bash fix for some versions. Either
installing the patch or upgrading the appliance will remediate the
"shellshock" vulnerability. See documentation in Section 4 for details.
** This product includes Virtual Appliances that will be updated, the
product itself is not a Virtual Appliance.
4. Solution
ESX
---
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2090859
http://kb.vmware.com/kb/2090853
vCenter Server Appliance
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2
(scroll down to 5.5 Update 2a Appliance)
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS
P510-VC-51U2A
(scroll down to 5.1 Update 2b Appliance)
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3
A
(scroll down to 5.0 Update 3b Appliance)
Documentation:
http://kb.vmware.com/kb/2091085
http://kb.vmware.com/kb/2091018
http://kb.vmware.com/kb/2091017
Horizon DaaS Platform
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr
oup=HORIZON-DAAS-610-BIN
https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO
N-DAAS-602
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398
Documentation:
http://kb.vmware.com/kb/2091183
Horizon Workspace
-----------------
Downloads:
(Scroll down to the relevant download)
Workspace Portal 2.1.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNP210
Workspace Portal 2.0.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNWS200
Horizon Workspace 1.8.2 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS182
Horizon Workspace 1.8.1 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS181
Horizon Workspace 1.8.0 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS180
Horizon Workspace 1.5.2 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS152
Horizon Workspace 1.5.1 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS151
Horizon Workspace 1.5.0 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS150
Documentation:
http://kb.vmware.com/kb/2091067
IT Business Management Suite
----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product
Id=385&rPId=6333
Documentation:
http://kb.vmware.com/kb/2091014
http://kb.vmware.com/kb/2091013
NSX for Multi-Hypervisor
------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-421
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-414
Note: For 4.0.5 refer to http://www.vmware.com/products/nsx
Documentation:
http://kb.vmware.com/kb/2091179
http://kb.vmware.com/kb/2091205
NSX for vSphere
---------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-611
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-607
Documentation:
http://kb.vmware.com/kb/2091213
http://kb.vmware.com/kb/2091216
NVP
---
Downloads and Documentation:
http://www.vmware.com/products/nsx
vCenter Hyperic Server
----------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_582_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_581_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_580_SERVER
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572
https://my.vmware.com/web/vmware/details?productId=346&rPId=6849&downloadGr
oup=VFHQ_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER
https://my.vmware.com/web/vmware/details?productId=311&rPId=6848&downloadGr
oup=VFHQ_502
Documentation:
http://kb.vmware.com/kb/2091109
http://kb.vmware.com/kb/2091210
http://kb.vmware.com/kb/2091372
http://kb.vmware.com/kb/2091373
http://kb.vmware.com/kb/2091206
http://kb.vmware.com/kb/2091223
http://kb.vmware.com/kb/2091207
http://kb.vmware.com/kb/2091224
vCenter Infrastructure Navigator
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201
Documentation:
http://kb.vmware.com/kb/2091095
http://kb.vmware.com/kb/2091093
http://kb.vmware.com/kb/2091108
vCenter Log Insight
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4
12&rPId=5804
https://my.vmware.com/group/vmware/details?downloadGroup=STRATA15&productId
=386&rPId=4787
Documentation:
http://kb.vmware.com/kb/2091065
http://kb.vmware.com/kb/2091065
vCenter Operations Manager
--------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-583-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-582-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-581-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-580-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-573-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-572-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-571-STD
https://my.vmware.com/web/vmware/details?productId=332&rPId=6743&downloadGr
oup=VCOPS-570-STD
Documentation:
http://kb.vmware.com/kb/2091083
http://kb.vmware.com/kb/2091002 (5.7.0, 5.7.1, 5.7.2, 5.7.3)
http://kb.vmware.com/kb/2091401 (5.8.0, 5.8.1, 5.8.2)
vCenter Orchestrator Appliance
------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ
ctId=353&rPId=6655
Documentation:
http://kb.vmware.com/kb/2091036
vCenter Site Recovery Manager
-----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35
7&rPId=6636
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29
1&rPId=6631
Documentation:
http://kb.vmware.com/kb/2091038
http://kb.vmware.com/kb/2091039
http://kb.vmware.com/kb/2091037 (5.0.x)
vCenter Support Assistant
-------------------------
Downloads and Documentation:
http://kb.vmware.com/kb/2091112
vCloud Application Director
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc
tId=383&rPId=6216
https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod
uctId=345&rPId=3789
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Automation Center
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4
47&rPId=6501
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId=
383&rPId=6216
Documentation:
http://kb.vmware.com/kb/2091012
vCloud Automation Center Application Services
---------------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId
=447&rPId=6501
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Director Appliance
-------------------------
Downloads:
www.vmware.com/go/try-vcloud-director
Documentation:
http://kb.vmware.com/kb/2091071
vCloud Connector
----------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA
Documentation:
http://kb.vmware.com/kb/2091045
vCloud Networking and Security
------------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5531
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5143
Documentation:
http://kb.vmware.com/kb/2091218
http://kb.vmware.com/kb/2091217
vCloud Usage Meter
------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332
Documentation:
http://kb.vmware.com/kb/2091184
vFabric Postgres
----------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab
ric_postgres/9_3
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_2
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_1
Documentation:
http://kb.vmware.com/kb/2091055
View Planner
------------
View Planner Benchmark Mode
Downloads:
https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P
LAN-300
Documentation:
http://kb.vmware.com/kb/2091281
View Planner Flexible Mode
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUza
VMware Application Dependency Planner
-------------------------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzQ
VMware Data Recovery
--------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204
Documentation:
http://kb.vmware.com/kb/2091015
VMware HealthAnalyzer
---------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzV
VMware Mirage Gateway
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId
=407&rPId=6565
(See VMware Mirage Gateway Software)
Documentation:
http://kb.vmware.com/kb/2091090
VMware Socialcast On Premise
----------------------------
Downloads and Doumentation:
Please contact Global Support Services via My VMware
vSphere App HA
--------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111
https://my.vmware.com/web/vmware/details?downloadGroup=APPHA-110&productId=
408&rPId=5635
Documentation:
http://kb.vmware.com/kb/2091087
http://kb.vmware.com/kb/2091371
vSphere Big Data Extensions
---------------------------
Downloads:
https://my.vmware.com/group/vmware/details?downloadGroup=BDE_200_GA&product
Id=353&rPId=6657
Documentation and Release Notes:
http://kb.vmware.com/kb/2091050
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-20-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-11-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-10-release-notes.html#resolvedissues
vSphere Data Protection
-----------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35
3&rPId=6654
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_6
https://my.vmware.com/web/vmware/details?downloadGroup=VDPADV51_21&productI
d=330&rPId=3818
https://my.vmware.com/web/vmware/details?downloadGroup=VDP51_11&productId=2
85
Documentation:
http://kb.vmware.com/kb/2091341
vSphere Management Assistant
----------------------------
Downloads:
Download available via online vMA update mechanism
Documentation:
http://kb.vmware.com/kb/2079150
http://kb.vmware.com/kb/2079151
vSphere Replication
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353
&rPId=6654
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602
https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr
oup=VR5513
https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285
&rPId=6779
Documentation:
http://kb.vmware.com/kb/2091019
http://kb.vmware.com/kb/2091031
http://kb.vmware.com/kb/2091033
http://kb.vmware.com/kb/2091035
vSphere Storage Appliance
-------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc
tId=354&rPId=6585
https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc
tId=297&rPId=3752
Documentation:
http://kb.vmware.com/kb/2091000
http://kb.vmware.com/kb/2091086
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1
Updated advisory in conjunction with the release of ESX 4.x patches,
vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director
Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway
5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added
CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be
mitigated.
2014-10-01 VMSA-2014-0010.2
Updated advisory in conjunction with the release of Horizon Workspace
patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter
Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and
5.1.2.2, vCloud Application Director patches, vCloud Automation Center
patches, vCloud Automation Center Application Services patches, vCloud
Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and
9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on
2014-10-01.
2014-10-02 VMSA-2014-0010.3
Updated advisory in conjunction with the release of vCenter Hyperic
Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3,
5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support
Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant
5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02.
2014-10-02 VMSA-2014-0010.4
Updated advisory in conjunction with the release of Horizon DaaS
Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance
5.5.2.1,
vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere
Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5
Updated advisory in conjunction with the release of vCloud Networking
and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6
Updated advisory in conjunction with the release of NSX for
Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and
6.0.7,
NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7
Updated advisory in conjunction with the release of View Planner
Benchmark
3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8
Updated advisory in conjunction with the release of vCenter Hyperic
Server
5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log
Insight 1.5.0U1, View Planner Flexible 3.0.1.1,VMware Application
Dependency
Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, vSphere App HA 1.1.0
patch
on 2014-10-06.
2014-10-07 VMSA-2014-0010.9
Updated advisory in conjunction with the release of vCenter Operations
Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and
vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10
Updated advisory in conjunction with the release of vCenter Operations
Manager patches on 2014-10-08.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFUNbWVDEcm8Vbi9kMRAogkAJ49DaHlVNWhTylbJrPBnF+GGZ7gmQCgniZ7
e4DPUDqPTVQf+3XltghWbqQ=
=pJa3
-----END PGP SIGNATURE-----
UPDATED VMSA-2014-0010.9 – VMware product updates address critical Bash security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2014-0010.9
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-10-07
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- ------------------------------------------------------------------------
1. Summary
VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present)
ESX 4.1 without patch ESX410-201410401-SG
ESX 4.0 without patch ESX400-201410401-SG
vCenter Server Appliance prior to 5.5 U2a
vCenter Server Appliance prior to 5.1 U2b
vCenter Server Appliance prior to 5.0 U3b
Horizon DaaS Platform prior to 6.1.1
Horizon DaaS Platform prior to 6.0.2
Horizon DaaS Platform prior to 5.4.3
Horizon Workspace 1.x, 2.x without patch
IT Business Management Suite prior to 1.1.0
IT Business Management Suite prior to 1.0.1
NSX for Multi-Hypervisor 4.2.x prior to 4.2.1
NSX for Multi-Hypervisor 4.1.x prior to 4.1.4
NSX for Multi-Hypervisor 4.0.x prior to 4.0.5
NSX for vSphere 6.1.x prior to 6.1.1
NSX for vSphere 6.0.x prior to 6.0.7
NVP 3.x prior to 3.2.4
vCenter Hyperic Server prior to 5.8.3
vCenter Hyperic Server 5.8.2 without SP3
vCenter Hyperic Server 5.8.1 without SP3
vCenter Hyperic Server 5.8.0 without SP2
vCenter Hyperic Server prior to 5.7.2
vCenter Hyperic Server 5.7.1 without SP1
vCenter Hyperic Server prior to 5.0.3
vCenter Hyperic Server 5.0.2 without SP1
vCenter Infrastructure Navigator prior to 5.8.3
vCenter Infrastructure Navigator prior to 5.7.1
vCenter Infrastructure Navigator prior to 2.0.1
vCenter Log Insight prior to 2.0U1
vCenter Log Insight prior to 1.5.0U1
vCenter Operations Manager 5.x without patch
vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1
vCenter Orchestrator Appliance 5.1.x, 4.x without patch
vCenter Site Recovery Manager prior to 5.5.1.3
vCenter Site Recovery Manager prior to 5.1.2.2
vCenter Support Assistant without patch
vCloud Application Director 5.x, 6.x without patch
vCloud Automation Center 6.x without patch
vCloud Automation Center Application Services 6.x without patch
vCloud Director Appliance prior to 5.5.1.3
vCloud Connector prior to 2.6.1
vCloud Networking and Security prior to 5.5.3.1
vCloud Networking and Security prior to 5.1.4.3
vCloud Usage Meter prior to 3.3.2
vFabric Postgres prior to 9.3.5.1
vFabric Postgres prior to 9.2.9.1
vFabric Postgres prior to 9.1.14.1
VMware Application Dependency Planner prior to 2.0.0.1
View Planner prior to 3.0.1.1
VMware Data Recovery prior to 2.0.4
VMware HealthAnalyzer prior to 5.0.3.1
VMware Mirage Gateway prior to 5.1.1
VMware Socialcast On Premise prior to 2-116-1
VMware Socialcast On Premise prior to 2-112-1
vSphere App HA prior to 1.1.1
vSphere App HA 1.1.0 without patch
vSphere Big Data Extensions 2.x without patch
vSphere Data Protection 5.x without patch
vSphere Management Assistant 5.5.x without 5.5 EP1
vSphere Management Assistant 5.0.x without 5.0 EP1
vSphere Replication prior to 5.8.0.1
vSphere Replication prior to 5.6.0.2
vSphere Replication prior to 5.5.1.3
vSphere Replication prior to 5.1.2.2
vSphere Storage Appliance prior to 5.5.2
vSphere Storage Appliance 5.1.x without patch
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
to these issues.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell.
ESX has an affected version of the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system. If the operating system has a vulnerable
version of Bash, the Bash security vulnerability might be
exploited through the product. VMware recommends that customers
contact their operating system vendor for a patch.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX ESX410-201410401-SG*
ESX 4.0 ESX ESX400-201410401-SG*
* VMware has made VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b,
5.0 U3b
Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2,
5.4.3
Horizon Workspace 1.x, 2.x Linux See Section 4
IT Business Management Suite 1.x Linux 1.1.0, 1.0.1
NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4
4.0.5
NSX for vSphere 6.x Linux 6.1.1, 6.0.7
NVP 3.x Linux 3.2.4
vCenter Application Discovery 7.x Linux Patch Pending
Manager
vCenter Converter Standalone 5.x Linux Patch Pending**
vCenter Hyperic Server* 5.x Linux 5.8.3, 5.8.2-SP3,
5.8.1-SP3,
5.8.0-SP2,
5.7.2, 5.7.1-SP1,
5.0.3, 5.0.2-SP1
vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1,
2.0.1
vCenter Log Insight 1.x, 2.x Linux 2.0 U1, 1.5.0U1
vCenter Operations Manager 5.x Linux See Section 4
vCenter Orchestrator Appliance* 4.x, 5.x Linux 5.5.2.1, 5.1.2,
4.2.3 See Section
4
vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2,
5.0.x**
vCenter Support Assistant 5.x Linux See Section 4
vCloud Application Director 5.x, 6.x Linux See Section 4
vCloud Automation Center 6.x Linux See Section 4
vCloud Automation Center
Application Services 6.x Linux See Section 4
vCloud Director Appliance 5.x Linux 5.5.1.3
vCloud Connector 2.x Linux 2.6.1
vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3
vCloud Usage Meter 3.x Linux 3.3.2
vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1,
9.1.14.1
View Planner 3.x Linux 3.0.1.1
VMware Application Dependency x.x Linux 2.0.0.1
Planner
VMware Data Recovery 2.x Linux 2.0.4
VMware HealthAnalyzer 5.x Linux 5.0.3.1
VMware Mirage Gateway 5.x Linux 5.1.1
VMware Socialcast On Premise 2.x Linux 2-116-1,
2-112-1
VMware Studio 2.x Linux Patch Pending
VMware Workbench 3.0.x Linux Patch Pending
vSphere App HA* 1.x Linux 1.1.1
vSphere Big Data Extensions 2.x Linux See Section 4
vSphere Data Protection 5.x Linux See Section 4
vSphere Management Assistant 5.x Linux 5.5 EP1, 5.0 EP1
vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2,
5.5.1.3, 5.1.2.2
vSphere Storage Appliance* 5.x Linux 5.5.2, 5.1.3
See Section 4
* This product has patches available to update bash manually as well as
a
full installation that includes the bash fix for some versions. Either
installing the patch or upgrading the appliance will remediate the
"shellshock" vulnerability. See documentation in Section 4 for details.
** This product includes Virtual Appliances that will be updated, the
product itself is not a Virtual Appliance.
4. Solution
ESX
---
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2090859
http://kb.vmware.com/kb/2090853
vCenter Server Appliance
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2
(scroll down to 5.5 Update 2a Appliance)
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS
P510-VC-51U2A
(scroll down to 5.1 Update 2b Appliance)
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3
A
(scroll down to 5.0 Update 3b Appliance)
Documentation:
http://kb.vmware.com/kb/2091085
http://kb.vmware.com/kb/2091018
http://kb.vmware.com/kb/2091017
Horizon DaaS Platform
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr
oup=HORIZON-DAAS-610-BIN
https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO
N-DAAS-602
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398
Documentation:
http://kb.vmware.com/kb/2091183
Horizon Workspace
-----------------
Downloads:
(Scroll down to the relevant download)
Workspace Portal 2.1.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNP210
Workspace Portal 2.0.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNWS200
Horizon Workspace 1.8.2 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS182
Horizon Workspace 1.8.1 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS181
Horizon Workspace 1.8.0 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS180
Horizon Workspace 1.5.2 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS152
Horizon Workspace 1.5.1 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS151
Horizon Workspace 1.5.0 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS150
Documentation:
http://kb.vmware.com/kb/2091067
IT Business Management Suite
----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product
Id=385&rPId=6333
Documentation:
http://kb.vmware.com/kb/2091014
http://kb.vmware.com/kb/2091013
NSX for Multi-Hypervisor
------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-421
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-414
Note: For 4.0.5 refer to http://www.vmware.com/products/nsx
Documentation:
http://kb.vmware.com/kb/2091179
http://kb.vmware.com/kb/2091205
NSX for vSphere
---------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-611
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-607
Documentation:
http://kb.vmware.com/kb/2091213
http://kb.vmware.com/kb/2091216
NVP
---
Downloads and Documentation:
http://www.vmware.com/products/nsx
vCenter Hyperic Server
----------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_582_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_581_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_580_SERVER
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572
https://my.vmware.com/web/vmware/details?productId=346&rPId=6849&downloadGr
oup=VFHQ_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER
https://my.vmware.com/web/vmware/details?productId=311&rPId=6848&downloadGr
oup=VFHQ_502
Documentation:
http://kb.vmware.com/kb/2091109
http://kb.vmware.com/kb/2091210
http://kb.vmware.com/kb/2091372
http://kb.vmware.com/kb/2091373
http://kb.vmware.com/kb/2091206
http://kb.vmware.com/kb/2091223
http://kb.vmware.com/kb/2091207
http://kb.vmware.com/kb/2091224
vCenter Infrastructure Navigator
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201
Documentation:
http://kb.vmware.com/kb/2091095
http://kb.vmware.com/kb/2091093
http://kb.vmware.com/kb/2091108
vCenter Log Insight
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4
12&rPId=5804
https://my.vmware.com/group/vmware/details?downloadGroup=STRATA15&productId
=386&rPId=4787
Documentation:
http://kb.vmware.com/kb/2091065
http://kb.vmware.com/kb/2091065
vCenter Operations Manager
--------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCOPS-583-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-582-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-581-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-580-STD
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCOPS-573-STD
Documentation:
http://kb.vmware.com/kb/2091083
http://kb.vmware.com/kb/2091002
http://kb.vmware.com/kb/2091401 (5.8.0, 5.8.1, 5.8.2)
vCenter Orchestrator Appliance
------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ
ctId=353&rPId=6655
Documentation:
http://kb.vmware.com/kb/2091036
vCenter Site Recovery Manager
-----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35
7&rPId=6636
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29
1&rPId=6631
Documentation:
http://kb.vmware.com/kb/2091038
http://kb.vmware.com/kb/2091039
http://kb.vmware.com/kb/2091037 (5.0.x)
vCenter Support Assistant
-------------------------
Downloads and Documentation:
http://kb.vmware.com/kb/2091112
vCloud Application Director
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc
tId=383&rPId=6216
https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod
uctId=345&rPId=3789
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Automation Center
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4
47&rPId=6501
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId=
383&rPId=6216
Documentation:
http://kb.vmware.com/kb/2091012
vCloud Automation Center Application Services
---------------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId
=447&rPId=6501
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Director Appliance
-------------------------
Downloads:
www.vmware.com/go/try-vcloud-director
Documentation:
http://kb.vmware.com/kb/2091071
vCloud Connector
----------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA
Documentation:
http://kb.vmware.com/kb/2091045
vCloud Networking and Security
------------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5531
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5143
Documentation:
http://kb.vmware.com/kb/2091218
http://kb.vmware.com/kb/2091217
vCloud Usage Meter
------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332
Documentation:
http://kb.vmware.com/kb/2091184
vFabric Postgres
----------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab
ric_postgres/9_3
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_2
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_1
Documentation:
http://kb.vmware.com/kb/2091055
View Planner
------------
View Planner Benchmark Mode
Downloads:
https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P
LAN-300
Documentation:
http://kb.vmware.com/kb/2091281
View Planner Flexible Mode
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUza
VMware Application Dependency Planner
-------------------------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzQ
VMware Data Recovery
--------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204
Documentation:
http://kb.vmware.com/kb/2091015
VMware HealthAnalyzer
---------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzV
VMware Mirage Gateway
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId
=407&rPId=6565
(See VMware Mirage Gateway Software)
Documentation:
http://kb.vmware.com/kb/2091090
VMware Socialcast On Premise
----------------------------
Downloads and Doumentation:
Please contact Global Support Services via My VMware
vSphere App HA
--------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111
https://my.vmware.com/web/vmware/details?downloadGroup=APPHA-110&productId=
408&rPId=5635
Documentation:
http://kb.vmware.com/kb/2091087
http://kb.vmware.com/kb/2091371
vSphere Big Data Extensions
---------------------------
Downloads:
https://my.vmware.com/group/vmware/details?downloadGroup=BDE_200_GA&product
Id=353&rPId=6657
Documentation and Release Notes:
http://kb.vmware.com/kb/2091050
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-20-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-11-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-10-release-notes.html#resolvedissues
vSphere Data Protection
-----------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35
3&rPId=6654
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_6
https://my.vmware.com/web/vmware/details?downloadGroup=VDPADV51_21&productI
d=330&rPId=3818
https://my.vmware.com/web/vmware/details?downloadGroup=VDP51_11&productId=2
85
Documentation:
http://kb.vmware.com/kb/2091341
vSphere Management Assistant
----------------------------
Downloads:
Download available via online vMA update mechanism
Documentation:
http://kb.vmware.com/kb/2079150
http://kb.vmware.com/kb/2079151
vSphere Replication
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353
&rPId=6654
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602
https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr
oup=VR5513
https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285
&rPId=6779
Documentation:
http://kb.vmware.com/kb/2091019
http://kb.vmware.com/kb/2091031
http://kb.vmware.com/kb/2091033
http://kb.vmware.com/kb/2091035
vSphere Storage Appliance
-------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc
tId=354&rPId=6585
https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc
tId=297&rPId=3752
Documentation:
http://kb.vmware.com/kb/2091000
http://kb.vmware.com/kb/2091086
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1
Updated advisory in conjunction with the release of ESX 4.x patches,
vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director
Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway
5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added
CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be
mitigated.
2014-10-01 VMSA-2014-0010.2
Updated advisory in conjunction with the release of Horizon Workspace
patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter
Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and
5.1.2.2, vCloud Application Director patches, vCloud Automation Center
patches, vCloud Automation Center Application Services patches, vCloud
Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and
9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on
2014-10-01.
2014-10-02 VMSA-2014-0010.3
Updated advisory in conjunction with the release of vCenter Hyperic
Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3,
5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support
Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant
5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02.
2014-10-02 VMSA-2014-0010.4
Updated advisory in conjunction with the release of Horizon DaaS
Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance
5.5.2.1,
vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere
Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5
Updated advisory in conjunction with the release of vCloud Networking
and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6
Updated advisory in conjunction with the release of NSX for
Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and
6.0.7,
NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7
Updated advisory in conjunction with the release of View Planner
Benchmark
3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8
Updated advisory in conjunction with the release of vCenter Hyperic
Server
5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log
Insight 1.5.0U1, View Planner Flexible 3.0.1.1,VMware Application
Dependency
Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, vSphere App HA 1.1.0
patch
on 2014-10-06.
2014-10-07 VMSA-2014-0010.9
Updated advisory in conjunction with the release of vCenter Operations
Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and
vSphere Data Protection patches on 2014-10-07.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFUNFyiDEcm8Vbi9kMRArFiAKCZ12nZYLMpPRNzyLEybQDdd9Sp/gCg+VgG
PaUD0dLeWmhRGR2raxT76BE=
=OjTv
-----END PGP SIGNATURE-----
UPDATED VMSA-2014-0010.9 – VMware product updates address critical Bash security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2014-0010.9
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-10-07
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- ------------------------------------------------------------------------
1. Summary
VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present)
ESX 4.1 without patch ESX410-201410401-SG
ESX 4.0 without patch ESX400-201410401-SG
vCenter Server Appliance prior to 5.5 U2a
vCenter Server Appliance prior to 5.1 U2b
vCenter Server Appliance prior to 5.0 U3b
Horizon DaaS Platform prior to 6.1.1
Horizon DaaS Platform prior to 6.0.2
Horizon DaaS Platform prior to 5.4.3
Horizon Workspace 1.x, 2.x without patch
IT Business Management Suite prior to 1.1.0
IT Business Management Suite prior to 1.0.1
NSX for Multi-Hypervisor 4.2.x prior to 4.2.1
NSX for Multi-Hypervisor 4.1.x prior to 4.1.4
NSX for Multi-Hypervisor 4.0.x prior to 4.0.5
NSX for vSphere 6.1.x prior to 6.1.1
NSX for vSphere 6.0.x prior to 6.0.7
NVP 3.x prior to 3.2.4
vCenter Hyperic Server prior to 5.8.3
vCenter Hyperic Server 5.8.2 without SP3
vCenter Hyperic Server 5.8.1 without SP3
vCenter Hyperic Server 5.8.0 without SP2
vCenter Hyperic Server prior to 5.7.2
vCenter Hyperic Server 5.7.1 without SP1
vCenter Hyperic Server prior to 5.0.3
vCenter Hyperic Server 5.0.2 without SP1
vCenter Infrastructure Navigator prior to 5.8.3
vCenter Infrastructure Navigator prior to 5.7.1
vCenter Infrastructure Navigator prior to 2.0.1
vCenter Log Insight prior to 2.0U1
vCenter Log Insight prior to 1.5.0U1
vCenter Operations Manager 5.x without patch
vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1
vCenter Orchestrator Appliance 5.1.x, 4.x without patch
vCenter Site Recovery Manager prior to 5.5.1.3
vCenter Site Recovery Manager prior to 5.1.2.2
vCenter Support Assistant without patch
vCloud Application Director 5.x, 6.x without patch
vCloud Automation Center 6.x without patch
vCloud Automation Center Application Services 6.x without patch
vCloud Director Appliance prior to 5.5.1.3
vCloud Connector prior to 2.6.1
vCloud Networking and Security prior to 5.5.3.1
vCloud Networking and Security prior to 5.1.4.3
vCloud Usage Meter prior to 3.3.2
vFabric Postgres prior to 9.3.5.1
vFabric Postgres prior to 9.2.9.1
vFabric Postgres prior to 9.1.14.1
VMware Application Dependency Planner prior to 2.0.0.1
View Planner prior to 3.0.1.1
VMware Data Recovery prior to 2.0.4
VMware HealthAnalyzer prior to 5.0.3.1
VMware Mirage Gateway prior to 5.1.1
VMware Socialcast On Premise prior to 2-116-1
VMware Socialcast On Premise prior to 2-112-1
vSphere App HA prior to 1.1.1
vSphere App HA 1.1.0 without patch
vSphere Big Data Extensions 2.x without patch
vSphere Data Protection 5.x without patch
vSphere Management Assistant 5.5.x without 5.5 EP1
vSphere Management Assistant 5.0.x without 5.0 EP1
vSphere Replication prior to 5.8.0.1
vSphere Replication prior to 5.6.0.2
vSphere Replication prior to 5.5.1.3
vSphere Replication prior to 5.1.2.2
vSphere Storage Appliance prior to 5.5.2
vSphere Storage Appliance 5.1.x without patch
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
to these issues.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell.
ESX has an affected version of the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system. If the operating system has a vulnerable
version of Bash, the Bash security vulnerability might be
exploited through the product. VMware recommends that customers
contact their operating system vendor for a patch.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX ESX410-201410401-SG*
ESX 4.0 ESX ESX400-201410401-SG*
* VMware has made VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b,
5.0 U3b
Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2,
5.4.3
Horizon Workspace 1.x, 2.x Linux See Section 4
IT Business Management Suite 1.x Linux 1.1.0, 1.0.1
NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4
4.0.5
NSX for vSphere 6.x Linux 6.1.1, 6.0.7
NVP 3.x Linux 3.2.4
vCenter Application Discovery 7.x Linux Patch Pending
Manager
vCenter Converter Standalone 5.x Linux Patch Pending**
vCenter Hyperic Server* 5.x Linux 5.8.3, 5.8.2-SP3,
5.8.1-SP3,
5.8.0-SP2,
5.7.2, 5.7.1-SP1,
5.0.3, 5.0.2-SP1
vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1,
2.0.1
vCenter Log Insight 1.x, 2.x Linux 2.0 U1, 1.5.0U1
vCenter Operations Manager 5.x Linux See Section 4
vCenter Orchestrator Appliance* 4.x, 5.x Linux 5.5.2.1, 5.1.2,
4.2.3 See Section
4
vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2,
5.0.x**
vCenter Support Assistant 5.x Linux See Section 4
vCloud Application Director 5.x, 6.x Linux See Section 4
vCloud Automation Center 6.x Linux See Section 4
vCloud Automation Center
Application Services 6.x Linux See Section 4
vCloud Director Appliance 5.x Linux 5.5.1.3
vCloud Connector 2.x Linux 2.6.1
vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3
vCloud Usage Meter 3.x Linux 3.3.2
vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1,
9.1.14.1
View Planner 3.x Linux 3.0.1.1
VMware Application Dependency x.x Linux 2.0.0.1
Planner
VMware Data Recovery 2.x Linux 2.0.4
VMware HealthAnalyzer 5.x Linux 5.0.3.1
VMware Mirage Gateway 5.x Linux 5.1.1
VMware Socialcast On Premise 2.x Linux 2-116-1,
2-112-1
VMware Studio 2.x Linux Patch Pending
VMware Workbench 3.0.x Linux Patch Pending
vSphere App HA* 1.x Linux 1.1.1
vSphere Big Data Extensions 2.x Linux See Section 4
vSphere Data Protection 5.x Linux See Section 4
vSphere Management Assistant 5.x Linux 5.5 EP1, 5.0 EP1
vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2,
5.5.1.3, 5.1.2.2
vSphere Storage Appliance* 5.x Linux 5.5.2, 5.1.3
See Section 4
* This product has patches available to update bash manually as well as
a
full installation that includes the bash fix for some versions. Either
installing the patch or upgrading the appliance will remediate the
"shellshock" vulnerability. See documentation in Section 4 for details.
** This product includes Virtual Appliances that will be updated, the
product itself is not a Virtual Appliance.
4. Solution
ESX
---
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2090859
http://kb.vmware.com/kb/2090853
vCenter Server Appliance
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2
(scroll down to 5.5 Update 2a Appliance)
https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS
P510-VC-51U2A
(scroll down to 5.1 Update 2b Appliance)
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3
A
(scroll down to 5.0 Update 3b Appliance)
Documentation:
http://kb.vmware.com/kb/2091085
http://kb.vmware.com/kb/2091018
http://kb.vmware.com/kb/2091017
Horizon DaaS Platform
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr
oup=HORIZON-DAAS-610-BIN
https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO
N-DAAS-602
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398
Documentation:
http://kb.vmware.com/kb/2091183
Horizon Workspace
-----------------
Downloads:
(Scroll down to the relevant download)
Workspace Portal 2.1.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNP210
Workspace Portal 2.0.0 ->
https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr
oup=HZNWS200
Horizon Workspace 1.8.2 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS182
Horizon Workspace 1.8.1 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS181
Horizon Workspace 1.8.0 ->
https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr
oup=HZNWS180
Horizon Workspace 1.5.2 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS152
Horizon Workspace 1.5.1 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS151
Horizon Workspace 1.5.0 ->
https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr
oup=HZNWS150
Documentation:
http://kb.vmware.com/kb/2091067
IT Business Management Suite
----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product
Id=385&rPId=6333
Documentation:
http://kb.vmware.com/kb/2091014
http://kb.vmware.com/kb/2091013
NSX for Multi-Hypervisor
------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-421
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-414
Note: For 4.0.5 refer to http://www.vmware.com/products/nsx
Documentation:
http://kb.vmware.com/kb/2091179
http://kb.vmware.com/kb/2091205
NSX for vSphere
---------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-611
https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-607
Documentation:
http://kb.vmware.com/kb/2091213
http://kb.vmware.com/kb/2091216
NVP
---
Downloads and Documentation:
http://www.vmware.com/products/nsx
vCenter Hyperic Server
----------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_582_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_581_SERVER
https://my.vmware.com/web/vmware/details?productId=378&rPId=6386&downloadGr
oup=VCHQ_580_SERVER
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572
https://my.vmware.com/web/vmware/details?productId=346&rPId=6849&downloadGr
oup=VFHQ_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT
https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER
https://my.vmware.com/web/vmware/details?productId=311&rPId=6848&downloadGr
oup=VFHQ_502
Documentation:
http://kb.vmware.com/kb/2091109
http://kb.vmware.com/kb/2091210
http://kb.vmware.com/kb/2091372
http://kb.vmware.com/kb/2091373
http://kb.vmware.com/kb/2091206
http://kb.vmware.com/kb/2091223
http://kb.vmware.com/kb/2091207
http://kb.vmware.com/kb/2091224
vCenter Infrastructure Navigator
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571
https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201
Documentation:
http://kb.vmware.com/kb/2091095
http://kb.vmware.com/kb/2091093
http://kb.vmware.com/kb/2091108
vCenter Log Insight
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4
12&rPId=5804
https://my.vmware.com/group/vmware/details?downloadGroup=STRATA15&productId
=386&rPId=4787
Documentation:
http://kb.vmware.com/kb/2091065
http://kb.vmware.com/kb/2091065
vCenter Operations Manager
--------------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCOPS-583-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-582-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-581-STD
https://my.vmware.com/web/vmware/details?productId=374&rPId=6725&downloadGr
oup=VCOPS-580-STD
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCOPS-573-STD
Documentation:
http://kb.vmware.com/kb/2091083
http://kb.vmware.com/kb/2091002
http://kb.vmware.com/kb/2091401 (5.8.0, 5.8.1, 5.8.2)
vCenter Orchestrator Appliance
------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ
ctId=353&rPId=6655
Documentation:
http://kb.vmware.com/kb/2091036
vCenter Site Recovery Manager
-----------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35
7&rPId=6636
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29
1&rPId=6631
Documentation:
http://kb.vmware.com/kb/2091038
http://kb.vmware.com/kb/2091039
http://kb.vmware.com/kb/2091037 (5.0.x)
vCenter Support Assistant
-------------------------
Downloads and Documentation:
http://kb.vmware.com/kb/2091112
vCloud Application Director
---------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc
tId=383&rPId=6216
https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod
uctId=345&rPId=3789
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Automation Center
------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4
47&rPId=6501
https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId=
383&rPId=6216
Documentation:
http://kb.vmware.com/kb/2091012
vCloud Automation Center Application Services
---------------------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId
=447&rPId=6501
Documentation:
http://kb.vmware.com/kb/2091129
vCloud Director Appliance
-------------------------
Downloads:
www.vmware.com/go/try-vcloud-director
Documentation:
http://kb.vmware.com/kb/2091071
vCloud Connector
----------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA
Documentation:
http://kb.vmware.com/kb/2091045
vCloud Networking and Security
------------------------------
Downloads:
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5531
https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5143
Documentation:
http://kb.vmware.com/kb/2091218
http://kb.vmware.com/kb/2091217
vCloud Usage Meter
------------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332
Documentation:
http://kb.vmware.com/kb/2091184
vFabric Postgres
----------------
Downloads:
https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab
ric_postgres/9_3
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_2
https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab
ric_postgres/9_1
Documentation:
http://kb.vmware.com/kb/2091055
View Planner
------------
View Planner Benchmark Mode
Downloads:
https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P
LAN-300
Documentation:
http://kb.vmware.com/kb/2091281
View Planner Flexible Mode
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUza
VMware Application Dependency Planner
-------------------------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzQ
VMware Data Recovery
--------------------
Downloads:
https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204
Documentation:
http://kb.vmware.com/kb/2091015
VMware HealthAnalyzer
---------------------
Downloads and Documentation:
https://na6.salesforce.com/06980000001EUzV
VMware Mirage Gateway
---------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId
=407&rPId=6565
(See VMware Mirage Gateway Software)
Documentation:
http://kb.vmware.com/kb/2091090
VMware Socialcast On Premise
----------------------------
Downloads and Doumentation:
Please contact Global Support Services via My VMware
vSphere App HA
--------------
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111
https://my.vmware.com/web/vmware/details?downloadGroup=APPHA-110&productId=
408&rPId=5635
Documentation:
http://kb.vmware.com/kb/2091087
http://kb.vmware.com/kb/2091371
vSphere Big Data Extensions
---------------------------
Downloads:
https://my.vmware.com/group/vmware/details?downloadGroup=BDE_200_GA&product
Id=353&rPId=6657
Documentation and Release Notes:
http://kb.vmware.com/kb/2091050
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-20-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-11-release-notes.html#resolvedissues
https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten
sions-10-release-notes.html#resolvedissues
vSphere Data Protection
-----------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35
3&rPId=6654
https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr
oup=VDP55_6
https://my.vmware.com/web/vmware/details?downloadGroup=VDPADV51_21&productI
d=330&rPId=3818
https://my.vmware.com/web/vmware/details?downloadGroup=VDP51_11&productId=2
85
Documentation:
http://kb.vmware.com/kb/2091341
vSphere Management Assistant
----------------------------
Downloads:
Download available via online vMA update mechanism
Documentation:
http://kb.vmware.com/kb/2079150
http://kb.vmware.com/kb/2079151
vSphere Replication
-------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353
&rPId=6654
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602
https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr
oup=VR5513
https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285
&rPId=6779
Documentation:
http://kb.vmware.com/kb/2091019
http://kb.vmware.com/kb/2091031
http://kb.vmware.com/kb/2091033
http://kb.vmware.com/kb/2091035
vSphere Storage Appliance
-------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc
tId=354&rPId=6585
https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc
tId=297&rPId=3752
Documentation:
http://kb.vmware.com/kb/2091000
http://kb.vmware.com/kb/2091086
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1
Updated advisory in conjunction with the release of ESX 4.x patches,
vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director
Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway
5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added
CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be
mitigated.
2014-10-01 VMSA-2014-0010.2
Updated advisory in conjunction with the release of Horizon Workspace
patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter
Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and
5.1.2.2, vCloud Application Director patches, vCloud Automation Center
patches, vCloud Automation Center Application Services patches, vCloud
Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and
9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on
2014-10-01.
2014-10-02 VMSA-2014-0010.3
Updated advisory in conjunction with the release of vCenter Hyperic
Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3,
5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support
Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant
5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02.
2014-10-02 VMSA-2014-0010.4
Updated advisory in conjunction with the release of Horizon DaaS
Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance
5.5.2.1,
vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere
Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5
Updated advisory in conjunction with the release of vCloud Networking
and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6
Updated advisory in conjunction with the release of NSX for
Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and
6.0.7,
NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7
Updated advisory in conjunction with the release of View Planner
Benchmark
3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8
Updated advisory in conjunction with the release of vCenter Hyperic
Server
5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log
Insight 1.5.0U1, View Planner Flexible 3.0.1.1,VMware Application
Dependency
Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, vSphere App HA 1.1.0
patch
on 2014-10-06.
2014-10-07 VMSA-2014-0010.9
Updated advisory in conjunction with the release of vCenter Operations
Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and
vSphere Data Protection patches on 2014-10-07.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFUNFyiDEcm8Vbi9kMRArFiAKCZ12nZYLMpPRNzyLEybQDdd9Sp/gCg+VgG
PaUD0dLeWmhRGR2raxT76BE=
=OjTv
-----END PGP SIGNATURE-----