- vSphere ESXi/ESX Hypervisor
ESXi 4.0, 4.1, 5.0, 5.1, and 5.5 are not affected because these versions use the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.
ESX 4.0 and 4.1 have a vulnerable version of the Bash shell.
Note: After careful consideration, VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash Shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. VMware is making this exception because of the reported critical severity of the Bash vulnerability and because the product passed the end of general support within the last four months. We encourage you to upgrade to our most current releases. The VMware Global Services teams are available to assist you in any way.
- Products that run on Windows
Windows-based products, including all versions of vCenter Server running on Windows, are not affected.
- Products that are shipped as a virtual appliance or as an appliance
The (virtual) appliances listed below ship with an affected version of Bash. While VMware has not demonstrated that the Bash vulnerability can be leveraged on these appliances, VMware will take the cautionary measure of re-releasing them.
VMware (Virtual) Appliances
- EVO:RAIL 1.x
- Horizon DaaS Platform 6.x
- Horizon Workspace 1.x, 2.x
- IT Business Management Suite 1.x
- NSX for Multi-Hypervisor 4.x
- NSX for vSphere 6.x
- NVP 3.x
- vCenter Hyperic Server 5.x
- vCenter Infrastructure Navigator 5.x
- vCenter Log Insight 1.0, 2.0
- vCenter Operations Manager 5.x
- vCenter Orchestrator Appliance 4.x, 5.x
- vCenter Server Appliance 5.x
- vCenter Support Assistant 5.x
- vCloud Automation Center 6.x (Note: vCloud Automation Center 5.x is not a virtual appliance)
- vCloud Automation Center Application Services 6.x
- vCloud Director 5.x Appliance
- vCloud Connector 2.x
- vCloud Networking and Security 5.x (aka VMware Shield 5.x)
- vCloud Usage Meter 3.x
- vFabric Application Director 5.x, 6.x
- vFabric Postgres 9.x
- Viewplanner 3.x
- VMware Application Dependency Planner
- VMware Data Recovery 2.x
- VMware HealthAnalyzer 5.x
- VMware Socialcast On Premise
- VMware Studio 2.x
- VMware TAM Data Manager
- VMware Workbench 3.x
- vSphere App HA 1.x
- vSphere Big Data Extensions 1.x, 2.x
- vSphere Data Protection 5.x
- vSphere Management Assistant 5.x
- vSphere Replication 5.x
- vSphere Storage Appliance 5.x
Important: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances.
- Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances)
Products that run on Linux, Android, Mac OS or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. In case the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.
Examples of products in this category include VMware Workstation, VMware Fusion, and AirWatch MDM software.
- AirWatch MDM Cloud Services – All vulnerable systems have been identified and critical systems are remediated as patches become available
- Horizon DaaS – Not affected
- IT Business Management – Bash patches applied Sept 26, 2014
- Socialcast – Bash patches applied Sept 26, 2014
- vCloud Air – All vulnerable systems have been identified and critical systems are remediated as patches become available