Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31131
HistoryOct 05, 2014 - 12:00 a.m.

NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities

2014-10-0500:00:00
vulners.com
194

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VMware Security Advisory

Advisory ID: VMSA-2014-0010
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-09-30 (Initial Advisory)
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187


  1. Summary

    VMware product updates address Bash security vulnerabilities.

  2. Relevant Releases (Affected products for which remediation is present)

    vCenter Log Insight 2.0

  3. Problem Description

    a. Bash update for multiple products.

    Bash libraries have been updated in multiple products to resolve
    multiple critical security issues, also referred to as Shellshock.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the identifiers CVE-2014-6271, CVE-2014-7169,
    CVE-2014-7186, and CVE-2014-7187 to these issues.

    VMware products have been grouped into the following four
    product categories:

    I) ESXi and ESX Hypervisor
    ESXi is not affected because ESXi uses the Ash shell (through
    busybox), which is not affected by the vulnerability reported
    for the Bash shell.
    ESX has an affected version of the Bash shell. See table 1 for
    remediation for ESX.

    II) Windows-based products
    Windows-based products, including all versions of vCenter Server
    running on Windows, are not affected.

    III) VMware (virtual) appliances
    VMware (virtual) appliances ship with an affected version of Bash.
    See table 2 for remediation for appliances.

    IV) Products that run on Linux, Android, OSX or iOS (excluding
    virtual
    appliances)

    Products that run on Linux, Android, OSX or iOS (excluding
    virtual appliances) might use the Bash shell that is part of the
    operating system. If the operating system has a vulnerable
    version of Bash, the Bash security vulnerability might be
    exploited through the product. VMware recommends that customers
    contact their operating system vendor for a patch.

    MITIGATIONS

    VMware encourages restricting access to appliances through
    firewall rules and other network layer controls to only trusted IP
    addresses. This measure will greatly reduce any risk to these
    appliances.

    RECOMMENDATIONS

    VMware recommends customers evaluate and deploy patches for
    affected products in Table 1 and 2 below as these
    patches become available.

    Column 4 of the following tables lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    Table 1 - ESXi and ESX Hypervisor

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============== ======= ======= =============
    ESXi any ESXi Not affected

    ESX 4.1 ESX Patch pending *

    ESX 4.0 ESX Patch pending *

    • VMware will make VMware ESX 4.0 and 4.1 security patches available
      for the Bash shell vulnerability. This security patch release is an
      exception to the existing VMware lifecycle policy.

    Table 2 - Products that are shipped as a (virtual) appliance.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============== ======= ======= =============

    vCenter Server Appliance 5.x Linux Patch Pending
    Horizon DaaS Platform 6.x Linux Patch Pending
    Horizon Workspace 1.x, 2.x Linux Patch Pending
    IT Business Management Suite 1.x Linux Patch Pending
    NSX for Multi-Hypervisor 4.x Linux Patch Pending
    NSX for vSphere 6.x Linux Patch Pending
    NVP 3.x Linux Patch Pending
    vCenter Converter Standalone 5.x Linux Patch Pending
    vCenter Hyperic Server 5.x Linux Patch Pending
    vCenter Infrastructure Navigator 5.x Linux Patch Pending
    vCenter Log Insight 1.x, 2.x Linux 2.0 U1
    vCenter Operations Manager 5.x Linux Patch Pending
    vCenter Orchestrator Appliance 4.x, 5.x Linux Patch Pending
    vCenter Site Recovery Manager 5.x Linux Patch Pending
    **
    vCenter Support Assistant 5.x Linux Patch Pending
    vCloud Automation Center 6.x Linux Patch Pending
    vCloud Automation Center
    Application Services 6.x Linux Patch Pending
    vCloud Director Appliance 5.x Linux Patch Pending
    vCloud Connector 2.x Linux Patch Pending
    vCloud Networking and Security 5.x Linux Patch Pending
    vCloud Usage Meter 3.x Linux Patch Pending
    vFabric Application Director 5.x, 6.x Linux Patch Pending
    vFabric Postgres 9.x Linux Patch Pending
    Viewplanner 3.x Linux Patch Pending
    VMware Application Dependency
    Planner x.x Linux Patch Pending
    VMware Data Recovery 2.x Linux Patch Pending
    VMware HealthAnalyzer 5.x Linux Patch Pending
    VMware Mirage Gateway 5.x Linux Patch Pending
    VMware Socialcast On Premise x.x Linux Patch Pending
    VMware Studio 2.x Linux Patch Pending
    VMware TAM Data Manager x.x Linux Patch Pending
    VMware Workbench 3.x Linux Patch Pending
    vSphere App HA 1.x Linux Patch Pending
    vSphere Big Data Extensions 1.x, 2.x Linux Patch Pending
    vSphere Data Protection 5.x Linux Patch Pending
    vSphere Management Assistant 5.x Linux Patch Pending
    vSphere Replication 5.x Linux Patch Pending
    vSphere Storage Appliance 5.x Linux Patch Pending

    ** This product includes Virtual Appliances that will be updated, the
    product
    itself is not a Virtual Appliance.

    1. Solution

    vCenter Log Insight

    Downloads:
    https://www.vmware.com/go/download-vcenter-log-insight
    (click Go to Downloads)
    Documentation:
    http://kb.vmware.com/kb/2091065

  4. References

    VMware Knowledge Base Article 2090740
    http://kb.vmware.com/kb/2090740

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187


  1. Change Log

    2014-09-30 VMSA-2014-0010
    Initial security advisory in conjunction with the release of
    vCenter Log Insight 2.0 U1 on 2014-09-30.


  1. Contact

    E-mail list for product security notifications and announcements:
    http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

    This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

    E-mail: security at vmware.com
    PGP key at: http://kb.vmware.com/kb/1055

    VMware Security Advisories
    http://www.vmware.com/security/advisories

    VMware Security Response Policy
    https://www.vmware.com/support/policies/security_response.html

    VMware Lifecycle Policy
    https://www.vmware.com/support/policies/lifecycle.html

    Twitter
    https://twitter.com/VMwareSRC

    Copyright 2014 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8

wj8DBQFUK2DqDEcm8Vbi9kMRAg4rAJ9wKbbbxeD3cagCry7GGfR4fVLpDwCeMqYm
SfX/140WMvqvcmkPX2chR9s=
=1KVR
-----END PGP SIGNATURE-----