Company recommends using firewalls and other network controls to limit access to appliances to trusted sources

Oct 2, 2014 13:31 GMT  ·  By

Updates from computer virtualization software provider VMware have started to be delivered for virtual appliances affected by the security flaw in Bash command-line tool.

The company already released out-of-band patches for some of its products, but for a number of solutions, fixes are still pending.

In an updated advisory initially published on Tuesday, 23 products were listed as still vulnerable to Shellshock, but waiting to be delivered a patch. For other products though, updates are already available, as is the case of ESX Hypervisor.

ESXi is not affected by the flaws resulting from the discovery of Shellshock because it relies on a different shell tool, Ash, which is not affected by the bug.

VMware notifies its customers that Windows-based products and vCenter Server running on Windows are not impacted by this bug.

However, products running on systems with Bash (Linux, Android, OSX or iOS) could be exploited if the version of the shell is a vulnerable one.

Recommendations from the company for mitigating the risks include “restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses.” On the same note, users are advised to deploy any patches available for the affected products.