Friday, September 26, 2014

Security Alert: bash Code Injection Vulnerability

This morning got brought to attention by my colleague, Iwan regarding this bash Code breached.  I am no linux or unix guy but when comes to security this is not to be play with especially in industry where security and compliance is highly evaluated.

A security vulnerability was detected known as "Shell Shock" which is a bash shell commonly found in unix and linux platform.  You can refer to CVE-2014-6271, CVE-2014-7169.

VMware was fast to publish this discover as well and you can read the post here and also to follow up with this KB on what products will be impacted.  So check back the KB to see which product from VMware is impacted and how to mitigate.

Note: that ESXi are not impacted with this "Shell shock" vulnerability.

As for other platforms, you would have to look back to your respective principle to find out if it is affected and the solution to resolve.


Update 29th Sept 2014
As extracted from CSOOnline, CentOS versions 5-7, Ubuntu 10.04, 12.04, and 14.04 (all LTS versions), Debian, Mac OS X, and Red Hat Enterprise Linux 4-7, are all vulnerable.

Update 30th Sept 2014
VMware Products that are affected are mentioned in the KB above listed.  VMware customer portals  are NOT affected is documented in this KB.  Great news for those still running out of support vSphere 4.x, VMware will also provide update for ESX 4.x as an exception though it has been out of VMware lifecycle policies.

Also companies that utilizes linux for the intelligence/function in their products just to list a few e.g. Nutanix has also publish their support note with and advisory note, TrendMicro tech note for a list of their vulnerabilities, Symantec here, Palo Alto Network note, Cisco Systems Advisory, Oracle Security Alert, etc.

Update 1st Oct 2014
From the list of product in the VMware Security Advisory VMSA-2014-0010, VMware Log Insight is the first product to get patched.

Update 2nd Oct 2014
Shellshock Security Update:
  • vCenter Operations Manager 5.8.3
  • vCloud Automation Center 6.1
  • vCloud Automation Center 6.0.1.2
  • vCloud Automation Application Services Center 6.1
  • vCloud Application Director 6.0.1
  • vFabric Application Director 5.2
  • IT Business Management Standard 1.1.0 and 1.0.1
  • vCenter Support Assistant 5.5.1.1
  • vCenter Orchestrator 4.2.3
  • vCenter Orchestrator 5.1.2
Update 3rd Oct 2014
Shellshock Security Update:
  • vCenter Orchestrator 5.5.2.1
  • vFabric Hyperic 5.0.3
  • vFabric Hyperic 5.7.2
  • vCenter Hyperic 5.8.3
  • vCenter Infrastructure Navigator 2.0.1
  • vCenter Infrastructure Navigator 5.7.1
  • vCenter Infrastructure Navigator 5.8.3
  • vSphere App HA 1.1.1
Xen Project seems to have a larger vulnerability due to ShellShock.  Companies that user Xen as their hypervisor include Citrix, Oracle and Huawei from what I remember.  Read up this article.

Update 4th Oct 2014
Shellshock Security Update:

  • vCloud Networking and Security 5.1.4.3 & 5.5.3.1
  • NSX for vSphere 6.0.7 & 6.1.1
  • NSX for Multi-Hypervisor 4.1.4 & 4.2.1
Update 7th Oct 2014
Check back VMSA-2014-0010 for all the products as at time of writing almost all products are been patched.

Tuesday, September 16, 2014

VMWare vForum 2014 Singapore Registration is now Live!

In Asia Pacific, this is what we have been waiting for the biggest event of all time at in Singapore; VMware vForum 2014!

Every year there are more than 3000 participants from customers to partners within the Asia Pacific region with our various sponsors gather at this major event bringing with the announcements from VMworld both held in San Francisco to Barcelona.

This year without fail VMware Singapore is hosting it annual biggest event in Singapore at its usual same venue Raffles City Convention Center.

If you are new to VMware or just getting started or you are already in the matured level of building your cloud, this is an event not to be missed.  Not only will you get to meet up with all the professionals on the field and get to know all the solutions available to meet your needs, you will also get to understand what on the market just for you at one single day and place!

What's different this year from other years, is it is a 2 days event.  First day with all the announcement and keynotes in an overview of all the solutions from VMware and her partners.  With the new additional of second day which cater for all the technical professional with all the technical workshops.  On both days, there will also be Hands-on Labs going on!  Check out the agenda here.  Remember to look through both the agendas for both days.  Yes clicking on Day 1 and Day 2 does show the respective day's agenda if you did not notice it!

If you can only attend one event a year, you must not miss this!  So what are you waiting for start, register for your attendance here!


Update 17th Sept 2014
Look out for special privileges for VMUG members.  If you are not yet a VMUG member, sign up here now!

Horizon 7 with Nvidia GRID Setup Gotchas

Been setting up POC environment for customer and this time wrong got involve with using Nvidia GRID. Encounter some setup steps that are m...