Shellshock / BASH VMware Patches

I’m sure everyone is aware of yet another vulnerability that was discovered just the other week and this time it is targeted at the BASH shell that is on almost every unix system. As this pertains to our VMware environments, there is the good, the bad and the ugly.

The Good:

Ever since VMware went to ESXi for the vSphere platform, they have removed underlying dependency on a full blown Unix environment and vSphere hosts now run the Ash shell (busybox) for commands. This encompasses all versions of ESXi (vSphere). Another good part about this is that many of these patches are very easy to apply and don’t take a lot of work. I patched a number of test virtual appliances within 20-30 minutes.

Since this issue is primarily Unix based, all VMware products that run on Windows systems are not affected.

The Bad:

Older ESX (non-integrated) environments are susceptible to this vulnerability need to be patched and VMware has released an update to fix both ESX 4.0 and 4.1 systems. Two KB articles have been released to address these releases and are 2090853 for ESX 4.0 and 2090859 for ESX 4.1. Both contain a zip file for download that is roughly 2mb in size and do require a reboot to implement. The patch process is done through the ‘esxupdate’ command and has the following syntax:

#esxupdate – update

Alternatively, you can use VUM (VMware Update Manager) to deliver the patch to the host if it is managed by vCenter. This is done in the traditional manner.

*I would seriously consider upgrading to ESXi if your hardware supports it to eliminate these types of issues in the future. I love vSphere 4.x as much as the next person, but there are so many advancements in 5.x that are worth the upgrade – especially if you’re paying for SnS on those systems! Check the VMware support matrix for compatibility.

The Ugly:

Nearly all virtual appliances are affected. The VMware Security Advisories page released VMSA-2014-0010.5 to address all known products and patches. Many of the patches are delivered through a .pak format and can be easily uploaded and applied to those VA’s through the web management console.

Virtual appliances like vCloud Automation Center need to be patched through a more traditional manner. I’m picking on this one since it requires a more lengthy process due to the nature of how the appliance runs. The process for these types of VA’s are:

  1. Take a snapshot of all vm’s associated with the virtual appliance (if they are in a vApp delivery model or not)
  2. Using your favorite SCP program, upload the Zip file to the VA.
  3. Extract the contents to a temp folder on the appliance.
  4. Install the patch through the RPM installer: rpm -Uvh <patch>.rpm
  5. Restart the appliance
  6. Verify that the patch has been installed and that the appliance is functioning correctly.
  7. Remove the snapshot!

Some VA’s re really easy and the patch can be applied simply be logging into the Web UI, navigating to the update tab, clicking on the “check updates” radio button and then selecting “install”. That was easy!