Today VMware has released the following new security advisory:
This advisory list the VMware product updates and patches that address the bash security issues CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, aka shellshock. It will be updated when new product updates and patches are released in the coming days.
Customers should review the security advisory and direct any questions to VMware Support.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
Following the disclosure today of two more bash vulnerabilities (CVE-2014-6277 and CVE-2014-6278, both of which are remediated by our updated products), we wanted to explain VMware’s systemic approach to addressing the bash security vulnerabilities. VMware’s Security Engineers have been closely monitoring and evaluating the various fixes being proposed within the security community. As such, VMware has adopted the more comprehensive solution suggested by Dr. Christos Zoulas of the NetBSD project last week. This broad fix removes access to the underlying function importing behavior in bash that exposes the fragile parsing code to external exploitation. We expect this broader fix to be more durable than point fixes as it will remove the risk due to future parser bugs.