VMware released Bash code injection Vulnerability Express Patches for vCenter Server Virtual Appliance

VMware has just released Express patches on Bash code injection Vulnerability aka “ShellShock” for most of the VMware products. However, this post is focused on express patches @vCenter Server Virtual Appliance.

Note:Please do read KBs referred below carefully  corresponding to each express patch release which addresses  bash vulnerability. Also note that Bash code injection vulnerability does NOT affect Windows based vCenter server.

Express patch is released on each release lines i.e. 5.0.x, 5.1.x, 5.5.x

If you are running vCenter Server Appliance 5.0.x, vCenter Server Appliance 5.0 U3b addresses Bash vulnerability:
KB:vCenter Server Appliance 5.0 U3b KB

Download from here:vCenter server appliance 5.0 U3b (Scroll down to 5.0 U3b)

If you are running vCenter Server Appliance 5.1.x, vCenter Server Appliance 5.1 U2b addresses Bash vulnerability:
KB:vCenter Server Appliance 5.1 U2b KB

Download from here:vCenter Server Appliance 5.1 u2b (Scroll down to 5.1 U2b)

If you are running vCenter Server Appliance 5.5.x, vCenter Server Appliance 5.5 U2b addresses Bash vulnerability:
KB: vCenter Server Appliance 5.5 U2a KB

Download from here:vCenter Server Appliance 5.5 U2a (Scroll down to 5.5 U2a)

VMware KB on Bash bug assessment :VMware KB on Bash Code Injection Assessment

VMware Security Advisory on Bash bug :VMware Security Advisory (Here you can also get patch details @ other VMware products)

How to quickly reproduce this bug (before applying the patch):

1. Login /SSH to the vCenter server virtual appliance  through Putty.

2. Run this bash script :”env x='() { :;}; echo vulnerable’ bash -c “echo this is test”. It should display output as follows :

Repro

You could see both “vulnerable & “this is test” are displayed as output.

How to quickly verify this bug (after applying the patch):

1.  Login /SSH to the vCenter server virtual appliance  through Putty.

2. Run same bash script :”env x='() { :;}; echo vulnerable’ bash -c “echo this is test”.It should display output as follows :Verification

You could see only “this is test” is displayed as output.  “vulnerable” should not be displayed with patch.

Learn more about Bash code injection:The Bash bug Explained