Much like Heartbleed triggered vendors to issue out of band patches to remedy vulnerabilities that popped up earlier this year, Shellshock, the Bash vulnerability, has forced vendors’ hands in a similar fashion.
Virtualization firm VMware issued a progress report on fixes for four different types of products as they relate to the bug on Monday.
For the most part the company still has its hands full.
According to yesterday’s security advisory, it’s currently in the middle of developing a patch for all but one of 38 different virtual appliance products, all of which run on Linux and are shipped with an affected version of Bash.
That leaves vCenter Log Insight 2.0, a cloud-based analytics platform, as the lone Bash-affected product the company has patched so far. The company posted a download link for the patch file, a .PAK called “Update 1,” yesterday.
VMware is also prepping a patch for ESX Hypervisor, one of the company’s many pieces of software that runs virtual machines that has an affected version of the Bash shell. Patches for both 4.0 and 4.1 are forthcoming. The company did not provide a timeframe for the fix but did claim the patch release would be an exception to its existing VMware lifecycle policy.
A variant of ESX, ESXi — which uses a different kind of shell, Ash, is not vulnerable and neither are any of the company’s Windows-based products.
The company issued a all-encompassing warning about Bash at the end of its advisory, stressing that any unnamed products that may use the Bash shell as part of its operating system could also be vulnerable.
To mitigate vulnerabilities its encouraging users to “restrict access to appliances through firewall rules and other network layer controls to only trusted IP addresses” and deploy patches as they become available.
Once pushed the patches should address the handful of attack vectors – CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 – that attackers have been using to exploit Shellshock.
Shellshock, a critical remote code execution vulnerability in Bash, first surfaced a week ago and over the last several days developers have come to grips with how pervasive it may or may not be throughout their systems.