Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: September 2014

Monthly Archives: September 2014

New VMware Security Advisory VMSA-2014-0010 (shellshock)

Today VMware has released the following new security advisory:

VMSA-2014-0010

This advisory list the VMware product updates and patches that address the bash security issues CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, aka shellshock. It will be updated when new product updates and patches are released in the coming days.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

10/1 Update
Following the disclosure today of two more bash vulnerabilities (CVE-2014-6277 and CVE-2014-6278, both of which are remediated by our updated products), we wanted to explain VMware’s systemic approach to addressing the bash security vulnerabilities. VMware’s Security Engineers have been closely monitoring and evaluating the various fixes being proposed within the security community. As such, VMware has adopted the more comprehensive solution suggested by Dr. Christos Zoulas of the NetBSD project last week. This broad fix removes access to the underlying function importing behavior in bash that exposes the fragile parsing code to external exploitation. We expect this broader fix to be more durable than point fixes as it will remove the risk due to future parser bugs.

VMware investigating bash command injection vulnerability aka Shell Shock (CVE-2014-6271, CVE-2014-7169)

VMware security response is aware of the security vulnerability in bash known as “Shell Shock” disclosed today (CVE-2014-6271, CVE-2014-7169). We are currently investigating the issue.

9/25 Update
We’ve published VMware Knowledge Base article 2090740, which provides the current state of our investigation into the bash issue. The article will be updated when we know more.

9/26 Update
We’ve updated VMware Knowledge Base article 2090740 and added a list of Virtual Appliances that are going to be re-released with a fix for the bash issue.

9/27 Update
We’ve added ESX(i) 4.0 and ESX(i) 4.1 to VMware Knowledge Base article 2090740. In an exception to the existing VMware lifecycle policy, we will release patches for ESX 4.0 and ESX 4.1 which are out of support. ESXi 4.0 and ESXi 4.1 are not affected.

9/30 Update
VMware Knowledge Base article 2090740 now points to VMware Security Advisory VMSA-2014-0010 which lists VMware product updates and patches that address the bash issue.

New VMware Security Advisory VMSA-2014-0009

Today VMware has released the following new security advisory:

VMSA-2014-0009

The advisory documents a critical information disclosure vulnerability, CVE-2014-3796, which has been addressed in VMware NSX 6.x Edge and vCNS 5.x Edge releases this week.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2014-0008 and updated advisories

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0008
Updated
VMSA-2014-0007.2
VMSA-2014-0006.10

The new advisory details updates of third party libraries that are present in vSphere 5.5 Update 2, which was released today.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.