Home > Blogs > VMware Security & Compliance Blog

VMware investigating bash command injection vulnerability aka Shell Shock (CVE-2014-6271, CVE-2014-7169)

VMware security response is aware of the security vulnerability in bash known as “Shell Shock” disclosed today (CVE-2014-6271, CVE-2014-7169). We are currently investigating the issue.

9/25 Update
We’ve published VMware Knowledge Base article 2090740, which provides the current state of our investigation into the bash issue. The article will be updated when we know more.

9/26 Update
We’ve updated VMware Knowledge Base article 2090740 and added a list of Virtual Appliances that are going to be re-released with a fix for the bash issue.

9/27 Update
We’ve added ESX(i) 4.0 and ESX(i) 4.1 to VMware Knowledge Base article 2090740. In an exception to the existing VMware lifecycle policy, we will release patches for ESX 4.0 and ESX 4.1 which are out of support. ESXi 4.0 and ESXi 4.1 are not affected.

9/30 Update
VMware Knowledge Base article 2090740 now points to VMware Security Advisory VMSA-2014-0010 which lists VMware product updates and patches that address the bash issue.

22 thoughts on “VMware investigating bash command injection vulnerability aka Shell Shock (CVE-2014-6271, CVE-2014-7169)

  1. Pingback: Faille critique bash, mettez à jour vos serveurs !

  2. Pingback: Vulnerability: VMware investigating bash command | Anupam Pushkar

  3. Pingback: Shellshocked? Better Check! Bash Shell RCE Vulnerability Exposed | Virtualization Software

  4. Pingback: Shellshock bug - vulnerability on Bash shell - UnixArena

  5. Jody Leavell

    On my vCenter appliance I tested for the vulnerability and it tested positive. That was from within a normal shell as user root, so I don’t know if the vulnerability is as exposed when attacked from other vectors.

    1. Jesper Houken

      I too can confirm on Vmware Vcenter Server 5.1.0 1064983 appliance, I can as root user run a test script that displays Bash to be vulnerable.
      #bash –version outputs
      GNU bash, version 3.2.51(1)-release (x86_64-suse-linux-gnu)
      Copyright (C) 2007 Free Software Foundation, Inc

  6. Pingback: » AD Security

  7. Pingback: » Is Your Heart and Data Bleeding From the Shell Shock? Long White Virtual Clouds

  8. Sean Qu

    how about vMA? it’s shell also have such vulnerability, do we have any solution for that?

  9. Abdul Sajid

    We have ESX 3.5 and ESXi 4.1.0 in our environment. Are these versions of esx vulnerable to shell shock? Please confirm. Thanks in advance

  10. Anand Subramanian

    Does ESX 3.5 and ESX 4.0 versions are vulnerable to Bash vulnerability ?

    1. Kberger

      Anand Subramanian and Abdul Sajid,

      The answer would be yes. This vulnerability is reported to affect every version of Bash since its inception in 1989.

      Patching and upgrading systems should always be a regular and planned operation for reasons such as this.

      1. Huixia Shu

        Just to clarify. ESX 3.5 and ESX4.x are affected. Is ESXi4.x affected? If yes, any patch we can apply? Thank you! -Huixia

        1. Duncan

          Yes, Full Console installs of ESX (3.5, 4.0, etc) are all at risk. ESXi versions are not at risk because they do not have the service console. You can review VMwares KB here http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740 . Personally, I think the best answer here is to upgrade to ESXi v4.x at the minium.

  11. Ron

    I checked and confirmed vCOps (both VM’s) are vulnerable… I forget if I checked logged insite but I’m guessing it is since most of the boxes are openSuSE that VM puts out for appliances.

  12. James Gatwood

    I would be more interested in the remote aspects through cgi has anyone found any of those?

  13. Joe

    Patching won’t do anything if there is a fundamental flaw in the architecture of Bash (exported functions enabled)

    Try this for instance after applying the patch: env ls='() { echo vulnerable; }’ bash -c ls

    1. Lazyvm

      > Try this for instance after applying the patch: env ls=’() { echo vulnerable; }’ bash -c ls

      Joe, I tried your suggestion with upgraded bash on OS X (10.6.8) after rebuilding bash upgraded to include up to patch 54. Here is the result:

      $ env ls=’() {echo vulnerable; }’ bash -c ls
      -bash: syntax error near unexpected token `(‘

      so it looks OK to me…

      1. Joe

        If it’s giving you a syntax error that means you are probably protected and likely have nothing to worry about. Apple’s products are rock solid.

  14. Abdul Sajid

    Please someone share the information on how to patch esx3.5. Thanks

    1. Markus

      ESX 3.5 is not going to be patched. Upgrade to ESXi 5 if you want support. They announced “KB 2090740” and that will patch ESX 4.x as well (even though its not officially supported any more.)

  15. Sagayaraj

    am a newbie here… would appreciate your help

    has the patch for ESX 4.0 and 4.1 been released?

    If yes, from where can I download it?

Comments are closed.