In September 2014, a vulnerability was discovered in the Bash shell (used in many Unix-based systems). This vulnerability revolves around remote code execution made possible by using specially crafted environment variables.
If your environment is already running ESXi, you can breathe a little easier as ESXi uses a different shell and is not affected.
However, there are a number of VMware products that are affected:
- Full ESX hypervisor (4.0 or 4.1)
- VMware virtual appliances (such as vSphere Replication, the VMware management assistant or VMA, and many others)
For the full list, check out the VMware Knowledgebase.
The security advisory page for VMSA-2014-0010.13 has the details on the patches. Please note: If you are still running ESX 4.0/4.1 VMware has made a patch available through an exception to the VMware lifecycle policy.
For more information, feel free to reach out to me at firstname.lastname@example.org.
Affiliated, IT Infrastructure Services & Support, Ohio