Update to Shellshock Vulnerability within VMware

New update to the VMware Security Advisory:

There are now patches available to the affected ESX hypervisors (note ESXi is not affected).

There are also remediation options for a lot of the vApps……

Please ensure you update your environment as soon as you can.

Shellshock Vulnerability

So last week it was reported that a serious vulnerability was discovered in Bash (Bourne-Again SHell) which is pretty much core to a lot of Linux/Unix OSes – including Apple’s MacOS. The bug, dubbed Shellshock, is supposed to be more serious than the previous OpenSSL Heartbleed vulnerability that was discovered earlier this year. It allows hackers to remotely take control of any system running Bash!

VMware have now released a KB that explains which hypervisors are affected by Shellshock.


Thankfully only the really old versions of vSphere ESX are affected…..

vSphere ESXi/ESX Hypervisor

  • ESXi 4.0, 4.1, 5.0, 5.1, and 5.5 are not affected because these versions use the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.
  • ESX 4.0 and 4.1 have a vulnerable version of the Bash shell.

Given how serious this vulnerability is, VMware are actually going to roll out a security patch for ESX 4.0 and 4.1 even though they are out of general support.

It is also worth noting that all VMware products currently shipped as a virtual appliance (usually a SLES VM) have the affected version of Bash installed. These virtual appliances will be updated in the near future.

I would recommend all VMware customers to keep an eye out for updates that will address the Shellshock vulnerability!