New VCP5-DCV Delta Exam

Yesterday, I got a message from VMware Education that they are offering an online VCP5-DCV recertification exam for a limited time. For any of you who have a VCP5 that is set to expire in the spring (that is most of you!), this is a terrific way to get recertified!

Here is the information from the VMware education site:

VCP5-DCV-Delta Exam

Download the exam blueprint here. After a quick review of the exam blueprint, it appears that the objectives are approximately the same, however the VCP550D exam has 65 questions with 75 minutes to complete, while the VCP550 exam has 135 questions and a time limit of 120 minutes.

Here is a link to the Pearson Vue VCP550D exam page:


VMware Education’s Recertification Policy has other avenues for recertification for those of you who are interested in advancing to the Advanced Professional level (VCAP) or may be interested in broadening your certification with additional Professional level (VCP) certifications in Cloud, End User Computing or Network Virtualization.

Note that the offer is only good through November 30, 2014.

Shell Shocker BASH vulnerability links

A flaw in Bash, the most common Linux command shell, from 22 years ago that was discovered and incompletely patched earlier this year is reported to pose a very severe threat to systems that include it. If you use a BASH shell in Linux or other derived operating system like Android or Apple OS X (like me and I am sure many of you!) you are probably vulnerable.

According to Mitre:
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Am I vulnerable?
Edit for the time being: You are. No complete public fix has been posted yet, for the new CVE (CVE-2014-7169). The instructions I give below are only sufficient to close off part of the vulnerability.
There is an easy check. Open a terminal and paste the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
It simply sets the environment variable called x to the value ‘() { :;}; echo vulnerable’. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run ‘echo vulnerable’ at parsing of environment at bash start-up, which just prints vulnerable to standard out.

If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

If you are vulnerable, then you will see:

Here is a link to more information from the Register:
Here is an article from TrendMicro that also describes the vulnerability:

Several of the vendors we have partnerships with are investigating their products to determine their vulnerability and response.

F5 has posted the security advisory:
VMware has posted in their security and compliance blog that they are investigating:
Red Hat has posted a very good description ion their security blog:
Another Red Hat post:

Here are links to the advisories and repositories from the US Government:

US Computer Emergency Readiness Team (US-CERT) Advisory:
NIST-National Vulnerability Database:
Mitre Common Vulnerabilities and Exposures (CVE) entries:,

Since the patches for Bash started being released last week, three new Bash vulnerabilities have been identified: – These are new since I sent out the email last week. If systems were patched on Friday, they are probably vulnerable now unless the new patches have been applied!

US Computer Emergency Readiness Team (US-CERT) Advisory:

Vulnerability Note VU#252743 GNU Bash shell executes commands in exported functions in environment variables: – This is a very good article describing affected systems

NIST-National Vulnerability Database:,,

Mitre Common Vulnerabilities and Exposures (CVE) entries:, – Another terrific resource for understanding and testing for the 5 vulnerabilities identified so far and instructions on patching a number of operating systems.

Additional articles and advisories from vendors:

Novell/SUSE SLES 11 is affected:

Updated Knowledgebase article listing vulnerabilities in VMware products: KB 2090740  – This list is long as VMware maintains dozens of Linux based virtual appliances.

Palo Alto Networks Security Advisory: