-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VMware Security Advisory Advisory ID: VMSA-2014-0010 Synopsis: VMware product updates address critical Bash security vulnerabilities Issue date: 2014-09-30 Updated on: 2014-09-30 (Initial Advisory) CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 - ------------------------------------------------------------------------ 1. Summary VMware product updates address Bash security vulnerabilities. 2. Relevant Releases (Affected products for which remediation is present) vCenter Log Insight 2.0 3. Problem Description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 to these issues. VMware products have been grouped into the following four product categories: I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor ================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi any ESXi Not affected ESX 4.1 ESX Patch pending * ESX 4.0 ESX Patch pending * * VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. Table 2 - Products that are shipped as a (virtual) appliance. ============================================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server Appliance 5.x Linux Patch Pending Horizon DaaS Platform 6.x Linux Patch Pending Horizon Workspace 1.x, 2.x Linux Patch Pending IT Business Management Suite 1.x Linux Patch Pending NSX for Multi-Hypervisor 4.x Linux Patch Pending NSX for vSphere 6.x Linux Patch Pending NVP 3.x Linux Patch Pending vCenter Converter Standalone 5.x Linux Patch Pending vCenter Hyperic Server 5.x Linux Patch Pending vCenter Infrastructure Navigator 5.x Linux Patch Pending vCenter Log Insight 1.x, 2.x Linux 2.0 U1 vCenter Operations Manager 5.x Linux Patch Pending vCenter Orchestrator Appliance 4.x, 5.x Linux Patch Pending vCenter Site Recovery Manager 5.x Linux Patch Pending ** vCenter Support Assistant 5.x Linux Patch Pending vCloud Automation Center 6.x Linux Patch Pending vCloud Automation Center Application Services 6.x Linux Patch Pending vCloud Director Appliance 5.x Linux Patch Pending vCloud Connector 2.x Linux Patch Pending vCloud Networking and Security 5.x Linux Patch Pending vCloud Usage Meter 3.x Linux Patch Pending vFabric Application Director 5.x, 6.x Linux Patch Pending vFabric Postgres 9.x Linux Patch Pending Viewplanner 3.x Linux Patch Pending VMware Application Dependency Planner x.x Linux Patch Pending VMware Data Recovery 2.x Linux Patch Pending VMware HealthAnalyzer 5.x Linux Patch Pending VMware Mirage Gateway 5.x Linux Patch Pending VMware Socialcast On Premise x.x Linux Patch Pending VMware Studio 2.x Linux Patch Pending VMware TAM Data Manager x.x Linux Patch Pending VMware Workbench 3.x Linux Patch Pending vSphere App HA 1.x Linux Patch Pending vSphere Big Data Extensions 1.x, 2.x Linux Patch Pending vSphere Data Protection 5.x Linux Patch Pending vSphere Management Assistant 5.x Linux Patch Pending vSphere Replication 5.x Linux Patch Pending vSphere Storage Appliance 5.x Linux Patch Pending ** This product includes Virtual Appliances that will be updated, the product itself is not a Virtual Appliance. 4. Solution vCenter Log Insight ---------------------------- Downloads: https://www.vmware.com/go/download-vcenter-log-insight (click Go to Downloads) Documentation: http://kb.vmware.com/kb/2091065 5. References VMware Knowledge Base Article 2090740 http://kb.vmware.com/kb/2090740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 , http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 - ------------------------------------------------------------------------ 6. Change Log 2014-09-30 VMSA-2014-0010 Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Policy https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFUK2DqDEcm8Vbi9kMRAg4rAJ9wKbbbxeD3cagCry7GGfR4fVLpDwCeMqYm SfX/140WMvqvcmkPX2chR9s= =1KVR -----END PGP SIGNATURE-----