Virtualization Technology News and Information
@VMware Quickly Patching Products Exposed to #ShellShock Bash Vulnerabilities
Remember Heartbleed?  It caused vendors to scramble and issue out of band patches in order to remedy those vulnerabilities that popped up earlier this year.  Fast forward, and now we're talking Shellshock, a Bash vulnerability which has forced vendors to once again scramble to issue new out of band patches.

ShellShock is reportedly worse than Heartbleed.  According to FireEye, "it affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages."

FireEye continued, "This bug allows arbitrary remote code execution on a remote webserver, something that is extremely serious. Why? It allow the attacker to leverage the website in further strategic web compromises, such as watering hole attacks, against website visitors. This is precisely how many targeted attacks occur, with an exceptionally high degree of success."

VMware virtualization products are among the list of those affected by ShellShock, and the virtualization giant has been quickly patching and plugging away at holes found in 38 virtual appliance products as well as its ESX hypervisor technology.

According to a VMware security advisory, the company is in the middle of developing patches for these virtual appliance products, all of which run on Linux and are shipped with an affected version of Bash.  Affected appliances include things such as: vCenter Server Appliance, Horizon DaaS platform, Horizon Workspace, NSX for vSphere, vCenter Operations Manager, vCenter Site Recovery Manager, vCloud Automation Center and more.

VMware has also released a patch for two of its ESX hypervisors affected by the Bash shell vulnerability: ESX 4.0 and 4.1.  However, the company stated that its ESXi hypervisor is not vulnerable and doesn't need a patch, as it uses a different kind of shell, Ash (through BusyBox).  The company's Windows-based products, including all versions of vCenter Server running on Windows, are also unaffected.

VMware issued the following warning:

"Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch."

As a final note, VMware also encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure, according to the company, will greatly reduce any risk to these appliances.

Published Thursday, October 02, 2014 6:51 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2014>