-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VMware Security Advisory Advisory ID: VMSA-2014-0010.1 Synopsis: VMware product updates address critical Bash security vulnerabilities Issue date: 2014-09-30 Updated on: 2014-10-01 CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 - ------------------------------------------------------------------------ 1. Summary VMware product updates address Bash security vulnerabilities. 2. Relevant Releases (Affected products for which remediation is present) ESX 4.1 without patch ESX410-201410401-SG ESX 4.0 without patch ESX400-201410401-SG vCenter Server Appliance prior to 5.5 U2a vCenter Server Appliance prior to 5.1 U2b vCenter Server Appliance prior to 5.0 U3b vCloud Director Appliance prior to 5.5.1.3 VMware Data Recovery prior to 2.0.4 VMware Mirage Gateway prior to 5.1.1 vSphere Storage Appliance prior to 5.5.2 vCenter Log Insight prior to 2.0U1 3. Problem Description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories: I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor ================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi any ESXi Not affected ESX 4.1 ESX ESX410-201410401-SG* ESX 4.0 ESX ESX400-201410401-SG* * VMware has made VMware ESX 4.0 and 4.1 security patches available for the Bash shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. Table 2 - Products that are shipped as a (virtual) appliance. ============================================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ================ vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b, 5.0 U3b Horizon DaaS Platform 6.x Linux Patch Pending Horizon Workspace 1.x, 2.x Linux Patch Pending IT Business Management Suite 1.x Linux Patch Pending NSX for Multi-Hypervisor 4.x Linux Patch Pending NSX for vSphere 6.x Linux Patch Pending NVP 3.x Linux Patch Pending vCenter Converter Standalone 5.x Linux Patch Pending ** vCenter Hyperic Server 5.x Linux Patch Pending vCenter Infrastructure Navigator 5.x Linux Patch Pending vCenter Log Insight 1.x, 2.x Linux 2.0 U1 vCenter Operations Manager 5.x Linux Patch Pending vCenter Orchestrator Appliance 4.x, 5.x Linux Patch Pending vCenter Site Recovery Manager 5.x Linux Patch Pending ** vCenter Support Assistant 5.x Linux Patch Pending vCloud Automation Center 6.x Linux Patch Pending vCloud Automation Center Application Services 6.x Linux Patch Pending vCloud Director Appliance 5.x Linux 5.5.1.3 vCloud Connector 2.x Linux Patch Pending vCloud Networking and Security 5.x Linux Patch Pending vCloud Usage Meter 3.x Linux Patch Pending vFabric Application Director 5.x, 6.x Linux Patch Pending vFabric Postgres 9.x Linux Patch Pending Viewplanner 3.x Linux Patch Pending VMware Application Dependency Planner x.x Linux Patch Pending VMware Data Recovery 2.x Linux 2.0.4 VMware HealthAnalyzer 5.x Linux Patch Pending VMware Mirage Gateway 5.x Linux 5.1.1 VMware Socialcast On Premise x.x Linux Patch Pending VMware Studio 2.x Linux Patch Pending VMware TAM Data Manager x.x Linux Patch Pending VMware Workbench 3.x Linux Patch Pending vSphere App HA 1.x Linux Patch Pending vSphere Big Data Extensions 1.x, 2.x Linux Patch Pending vSphere Data Protection 5.x Linux Patch Pending vSphere Management Assistant 5.x Linux Patch Pending vSphere Replication 5.x Linux Patch Pending vSphere Storage Appliance 5.x Linux 5.5.2 ** This product includes Virtual Appliances that will be updated, the product itself is not a Virtual Appliance. 4. Solution ESX --- Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2090859 http://kb.vmware.com/kb/2090853 vCenter Server Appliance ------------------------ Downloads: https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2 (scroll down to 5.5 Update 2a Appliance) https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS P510-VC-51U2A (scroll down to 5.1 Update 2b Appliance) https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3 A (scroll down to 5.0 Update 3b Appliance) Documentation: http://kb.vmware.com/kb/2091085 http://kb.vmware.com/kb/2091018 http://kb.vmware.com/kb/2091017 vCloud Director Appliance ------------------------- Downloads: www.vmware.com/go/try-vcloud-director Documentation: http://kb.vmware.com/kb/2091071 VMware Data Recovery -------------------- Downloads: https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204 Documentation: http://kb.vmware.com/kb/2091015 VMware Mirage Gateway --------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId =407&rPId=6565 (See VMware Mirage Gateway Software) Documentation: http://kb.vmware.com/kb/2091090 vSphere Storage Appliance ------------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc tId=354&rPId=6585 Documentation: http://kb.vmware.com/kb/2091000 vCenter Log Insight ------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4 12&rPId=5804 Documentation: http://kb.vmware.com/kb/2091065 5. References VMware Knowledge Base Article 2090740 http://kb.vmware.com/kb/2090740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 , http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 - ------------------------------------------------------------------------ 6. Change Log 2014-09-30 VMSA-2014-0010 Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30. 2014-10-01 VMSA-2014-0010.1 Updated advisory in conjunction with the release of ESX 4.x patches, vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway 5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added CVE-2014-6277 and CVE-2014-6278 as confirmed fixed. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Policy https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFULDR2DEcm8Vbi9kMRAno8AKChLzy32utif3LnJt4DduKNpmH1MgCgqKl+ ycAq/Gx4gCwu6SjbjBdgmSs= =81FF -----END PGP SIGNATURE-----