-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VMware Security Advisory Advisory ID: VMSA-2014-0010.7 Synopsis: VMware product updates address critical Bash security vulnerabilities Issue date: 2014-09-30 Updated on: 2014-10-05 CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 - ------------------------------------------------------------------------ 1. Summary VMware product updates address Bash security vulnerabilities. 2. Relevant Releases (Affected products for which remediation is present) ESX 4.1 without patch ESX410-201410401-SG ESX 4.0 without patch ESX400-201410401-SG vCenter Server Appliance prior to 5.5 U2a vCenter Server Appliance prior to 5.1 U2b vCenter Server Appliance prior to 5.0 U3b Horizon DaaS Platform prior to 6.1.1 Horizon DaaS Platform prior to 6.0.2 Horizon DaaS Platform prior to 5.4.3 Horizon Workspace 1.x, 2.x without patch IT Business Management Suite prior to 1.1.0 IT Business Management Suite prior to 1.0.1 NSX for Multi-Hypervisor 4.2.x prior to 4.2.1 NSX for Multi-Hypervisor 4.1.x prior to 4.1.4 NSX for Multi-Hypervisor 4.0.x prior to 4.0.5 NSX for vSphere 6.1.x prior to 6.1.1 NSX for vSphere 6.0.x prior to 6.0.7 NVP 3.x prior to 3.2.4 vCenter Hyperic Server prior to 5.8.3 vCenter Hyperic Server prior to 5.7.2 vCenter Hyperic Server prior to 5.0.3 vCenter Infrastructure Navigator prior to 5.8.3 vCenter Infrastructure Navigator prior to 5.7.1 vCenter Infrastructure Navigator prior to 2.0.1 vCenter Log Insight prior to 2.0U1 vCenter Operations Manager 5.x without patch vCenter Orchestrator Appliance 5.5.x prior to 5.5.2.1 vCenter Orchestrator Appliance 5.1.x, 4.x without patch vCenter Site Recovery Manager prior to 5.5.1.3 vCenter Site Recovery Manager prior to 5.1.2.2 vCenter Support Assistant without patch vCloud Application Director 5.x, 6.x without patch vCloud Automation Center 6.x without patch vCloud Automation Center Application Services 6.x without patch vCloud Director Appliance prior to 5.5.1.3 vCloud Connector prior to 2.6.1 vCloud Networking and Security prior to 5.5.3.1 vCloud Networking and Security prior to 5.1.4.3 vCloud Usage Meter prior to 3.3.2 vFabric Postgres prior to 9.3.5.1 vFabric Postgres prior to 9.2.9.1 vFabric Postgres prior to 9.1.14.1 View Planner prior to 3.0.1.1 VMware Data Recovery prior to 2.0.4 VMware Mirage Gateway prior to 5.1.1 vSphere App HA prior to 1.1.1 vSphere Big Data Extensions 2.x without patch vSphere Data Protection 5.x without patch vSphere Management Assistant 5.5.x without 5.5 EP1 vSphere Management Assistant 5.0.x without 5.0 EP1 vSphere Replication prior to 5.8.0.1 vSphere Replication prior to 5.6.0.2 vSphere Replication prior to 5.5.1.3 vSphere Replication prior to 5.1.2.2 vSphere Storage Appliance prior to 5.5.2 vSphere Storage Appliance 5.1.x without patch 3. Problem Description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories: I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor ================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi any ESXi Not affected ESX 4.1 ESX ESX410-201410401-SG* ESX 4.0 ESX ESX400-201410401-SG* * VMware has made VMware ESX 4.0 and 4.1 security patches available for the Bash shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. Table 2 - Products that are shipped as a (virtual) appliance. ============================================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ================ vCenter Server Appliance 5.x Linux 5.5 U2a, 5.1 U2b, 5.0 U3b Horizon DaaS Platform 5.x, 6.x Linux 6.1.1, 6.0.2, 5.4.3 Horizon Workspace 1.x, 2.x Linux See Section 4 IT Business Management Suite 1.x Linux 1.1.0, 1.0.1 NSX for Multi-Hypervisor 4.x Linux 4.2.1, 4.1.4 4.0.5 NSX for vSphere 6.x Linux 6.1.1, 6.0.7 NVP 3.x Linux 3.2.4 vCenter Converter Standalone 5.x Linux Patch Pending** vCenter Hyperic Server 5.x Linux 5.8.3, 5.7.2, 5.0.3 vCenter Infrastructure Navigator 2.x, 5.x Linux 5.8.3, 5.7.1, 2.0.1 vCenter Log Insight 1.x, 2.x Linux 2.0 U1 vCenter Operations Manager 5.x Linux See Section 4 vCenter Orchestrator Appliance 4.x, 5.x Linux 5.5.2.1, 5.1.2, 4.2.3 See Section 4 vCenter Site Recovery Manager 5.x Linux 5.5.1.3, 5.1.2.2, 5.0.x** vCenter Support Assistant 5.x Linux See Section 4 vCloud Application Director 5.x, 6.x Linux See Section 4 vCloud Automation Center 6.x Linux See Section 4 vCloud Automation Center Application Services 6.x Linux See Section 4 vCloud Director Appliance 5.x Linux 5.5.1.3 vCloud Connector 2.x Linux 2.6.1 vCloud Networking and Security 5.x Linux 5.5.3.1, 5.1.4.3 vCloud Usage Meter 3.x Linux 3.3.2 vFabric Postgres 9.x Linux 9.3.5.1, 9.2.9.1, 9.1.14.1 View Planner 3.x Linux 3.0.1.1 VMware Application Dependency Planner x.x Linux Patch Pending VMware Data Recovery 2.x Linux 2.0.4 VMware HealthAnalyzer 5.x Linux Patch Pending VMware Mirage Gateway 5.x Linux 5.1.1 VMware Socialcast On Premise 2.x Linux Patch Pending VMware Studio 2.x Linux Patch Pending VMware Workbench 3.x Linux Patch Pending vSphere App HA 1.x Linux 1.1.1 vSphere Big Data Extensions 2.x Linux See Section 4 vSphere Data Protection 5.x Linux See Section 4 vSphere Management Assistant 5.x Linux 5.5 EP1, 5.0 EP1 vSphere Replication 5.x Linux 5.8.0.1, 5.6.0.2, 5.5.1.3, 5.1.2.2 vSphere Storage Appliance 5.x Linux 5.5.2, 5.1.3 See Section 4 ** This product includes Virtual Appliances that will be updated, the product itself is not a Virtual Appliance. 4. Solution ESX --- Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2090859 http://kb.vmware.com/kb/2090853 vCenter Server Appliance ------------------------ Downloads: https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U2 (scroll down to 5.5 Update 2a Appliance) https://my.vmware.com/web/vmware/details?productId=285&downloadGroup=VCL-VS P510-VC-51U2A (scroll down to 5.1 Update 2b Appliance) https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VC50U3 A (scroll down to 5.0 Update 3b Appliance) Documentation: http://kb.vmware.com/kb/2091085 http://kb.vmware.com/kb/2091018 http://kb.vmware.com/kb/2091017 Horizon DaaS Platform --------------------- Downloads: https://my.vmware.com/web/vmware/details?productId=405&rPId=6527&downloadGr oup=HORIZON-DAAS-610-BIN https://my.vmware.com/web/vmware/details?productId=405&downloadGroup=HORIZO N-DAAS-602 https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398 Documentation: http://kb.vmware.com/kb/2091183 Horizon Workspace ----------------- Downloads: (Scroll down to the relevant download) Workspace Portal 2.1.0 -> https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr oup=HZNP210 Workspace Portal 2.0.0 -> https://my.vmware.com/web/vmware/details?productId=419&rPId=6533&downloadGr oup=HZNWS200 Horizon Workspace 1.8.2 -> https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr oup=HZNWS182 Horizon Workspace 1.8.1 -> https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr oup=HZNWS181 Horizon Workspace 1.8.0 -> https://my.vmware.com/web/vmware/details?productId=399&rPId=6083&downloadGr oup=HZNWS180 Horizon Workspace 1.5.2 -> https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr oup=HZNWS152 Horizon Workspace 1.5.1 -> https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr oup=HZNWS151 Horizon Workspace 1.5.0 -> https://my.vmware.com/web/vmware/details?productId=350&rPId=4768&downloadGr oup=HZNWS150 Documentation: http://kb.vmware.com/kb/2091067 IT Business Management Suite ---------------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product Id=384&rPId=6384 https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-101&product Id=385&rPId=6333 Documentation: http://kb.vmware.com/kb/2091014 http://kb.vmware.com/kb/2091013 NSX for Multi-Hypervisor ------------------------ Downloads: https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-421 https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-MH-414 Note: For 4.0.5 refer to http://www.vmware.com/products/nsx Documentation: http://kb.vmware.com/kb/2091179 http://kb.vmware.com/kb/2091205 NSX for vSphere --------------- Downloads: https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-611 https://my.vmware.com/group/vmware/get-download?downloadGroup=NSX-V-607 Documentation: http://kb.vmware.com/kb/2091213 http://kb.vmware.com/kb/2091216 NVP --- Downloads and Documentation: http://www.vmware.com/products/nsx vCenter Hyperic Server ---------------------- Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_AGENT https://my.vmware.com/web/vmware/get-download?downloadGroup=VCHQ_583_SERVER https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572_AGENT https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_572 https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_AGENT https://my.vmware.com/web/vmware/get-download?downloadGroup=VFHQ_503_SERVER Documentation: http://kb.vmware.com/kb/2091109 http://kb.vmware.com/kb/2091206 http://kb.vmware.com/kb/2091207 vCenter Infrastructure Navigator -------------------------------- Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_583 https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_571 https://my.vmware.com/web/vmware/get-download?downloadGroup=VIN_201 Documentation: http://kb.vmware.com/kb/2091095 http://kb.vmware.com/kb/2091093 http://kb.vmware.com/kb/2091108 vCenter Log Insight ------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=STRATA20&productId=4 12&rPId=5804 Documentation: http://kb.vmware.com/kb/2091065 vCenter Operations Manager -------------------------- Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VCOPS-583-STD https://my.vmware.com/web/vmware/get-download?downloadGroup=VCOPS-573-STD Documentation: http://kb.vmware.com/kb/2091083 http://kb.vmware.com/kb/2091002 vCenter Orchestrator Appliance ------------------------------ Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VCL_VCOVA_5521&produ ctId=353&rPId=6655 Documentation: http://kb.vmware.com/kb/2091036 vCenter Site Recovery Manager ----------------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5513&productId=35 7&rPId=6636 https://my.vmware.com/web/vmware/details?downloadGroup=SRM5122&productId=29 1&rPId=6631 Documentation: http://kb.vmware.com/kb/2091038 http://kb.vmware.com/kb/2091039 http://kb.vmware.com/kb/2091037 (5.0.x) vCenter Support Assistant ------------------------- Downloads and Documentation: http://kb.vmware.com/kb/2091112 vCloud Application Director --------------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=APPDIR_601_GA&produc tId=383&rPId=6216 https://my.vmware.com/web/vmware/details?downloadGroup=VFAPPDIR_520_GA&prod uctId=345&rPId=3789 Documentation: http://kb.vmware.com/kb/2091129 vCloud Automation Center ------------------------ Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-610&productId=4 47&rPId=6501 https://my.vmware.com/web/vmware/details?downloadGroup=VCAC-6012&productId= 383&rPId=6216 Documentation: http://kb.vmware.com/kb/2091012 vCloud Automation Center Application Services --------------------------------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=APPSER_610&productId =447&rPId=6501 Documentation: http://kb.vmware.com/kb/2091129 vCloud Director Appliance ------------------------- Downloads: www.vmware.com/go/try-vcloud-director Documentation: http://kb.vmware.com/kb/2091071 vCloud Connector ---------------- Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VCC261-GA Documentation: http://kb.vmware.com/kb/2091045 vCloud Networking and Security ------------------------------ Downloads: https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5531 https://my.vmware.com/group/vmware/get-download?downloadGroup=VCNS5143 Documentation: http://kb.vmware.com/kb/2091218 http://kb.vmware.com/kb/2091217 vCloud Usage Meter ------------------ Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=UMSV332 Documentation: http://kb.vmware.com/kb/2091184 vFabric Postgres ---------------- Downloads: https://my.vmware.com/web/vmware/info/slug/application_platform/vmware_vfab ric_postgres/9_3 https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab ric_postgres/9_2 https://my.vmware.com/web/vmware/info?slug=application_platform/vmware_vfab ric_postgres/9_1 Documentation: http://kb.vmware.com/kb/2091055 View Planner ------------ View Planner Benchmark Mode Downloads: https://my.vmware.com/web/vmware/details?productId=320&downloadGroup=VIEW-P LAN-300 Documentation: http://kb.vmware.com/kb/2091281 View Planner Flexible Mode Downloads: Pending Documentation: Pending VMware Data Recovery -------------------- Downloads: https://my.vmware.com/web/vmware/details?productId=229&downloadGroup=VDR204 Documentation: http://kb.vmware.com/kb/2091015 VMware Mirage Gateway --------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=MIRAGE-510&productId =407&rPId=6565 (See VMware Mirage Gateway Software) Documentation: http://kb.vmware.com/kb/2091090 vSphere App HA -------------- Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=APPHA-111 Documentation: http://kb.vmware.com/kb/2091087 vSphere Big Data Extensions --------------------------- Downloads: https://my.vmware.com/group/vmware/details?downloadGroup=BDE_200_GA&product Id=353&rPId=6657 Documentation and Release Notes: http://kb.vmware.com/kb/2091050 https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten sions-20-release-notes.html#resolvedissues https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten sions-11-release-notes.html#resolvedissues https://www.vmware.com/support/bigdataextensions/doc/vsphere-big-data-exten sions-10-release-notes.html#resolvedissues vSphere Data Protection ----------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VDP58_0&productId=35 3&rPId=6654 https://my.vmware.com/web/vmware/details?productId=353&rPId=6654&downloadGr oup=VDP55_6 Documentation: http://kb.vmware.com/kb/2091341 vSphere Management Assistant ---------------------------- Downloads: Download available via online vMA update mechanism Documentation: http://kb.vmware.com/kb/2079150 http://kb.vmware.com/kb/2079151 vSphere Replication ------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VR5801&productId=353 &rPId=6654 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5602 https://my.vmware.com/web/vmware/details?productId=353&rPId=5721&downloadGr oup=VR5513 https://my.vmware.com/web/vmware/details?downloadGroup=VR5122&productId=285 &rPId=6779 Documentation: http://kb.vmware.com/kb/2091019 http://kb.vmware.com/kb/2091031 http://kb.vmware.com/kb/2091033 http://kb.vmware.com/kb/2091035 vSphere Storage Appliance ------------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VSP55-VSA-552&produc tId=354&rPId=6585 https://my.vmware.com/web/vmware/details?downloadGroup=VSP51-VSA-513&produc tId=297&rPId=3752 Documentation: http://kb.vmware.com/kb/2091000 http://kb.vmware.com/kb/2091086 5. References VMware Knowledge Base Article 2090740 http://kb.vmware.com/kb/2090740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 , http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 - ------------------------------------------------------------------------ 6. Change Log 2014-09-30 VMSA-2014-0010 Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30. 2014-10-01 VMSA-2014-0010.1 Updated advisory in conjunction with the release of ESX 4.x patches, vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway 5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be mitigated. 2014-10-01 VMSA-2014-0010.2 Updated advisory in conjunction with the release of Horizon Workspace patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and 5.1.2.2, vCloud Application Director patches, vCloud Automation Center patches, vCloud Automation Center Application Services patches, vCloud Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and 9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on 2014-10-01. 2014-10-02 VMSA-2014-0010.3 Updated advisory in conjunction with the release of vCenter Hyperic Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3, 5.7.1, and 2.0.1 vCenter Orchestrator Appliance patches, vCenter Support Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant 5.5 EP1 and 5.0 EP1 and vSphere Storage Appliance patches on 2014-10-02. 2014-10-02 VMSA-2014-0010.4 Updated advisory in conjunction with the release of Horizon DaaS Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance 5.5.2.1, vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere Replication 5.6.0.2 on 2014-10-02. 2014-10-03 VMSA-2014-0010.5 Updated advisory in conjunction with the release of vCloud Networking and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03. 2014-10-04 VMSA-2014-0010.6 Updated advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and 6.0.7, NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04. 2014-10-05 VMSA-2014-0010.7 Updated advisory in conjunction with the release of View Planner 3.0.1.1 and vSphere Data Protection 5.x patch on 2014-10-05. ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Policy https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFUMZMpDEcm8Vbi9kMRAs1lAJ9dcgqzDcNVJF68OvDFO2q7+ROmswCfRcvz W7UlWVQXtvPflP6LZFtUz3w= =0jre -----END PGP SIGNATURE-----