VMware KB: External vRealize Orchestrator appliance becomes unavailable after upgrading to VMware vRealize Automation 6.2 in a distributed environment.

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2057799.

VMware KB: Installing vCenter Single Sign-On 5.5 on a Microsoft Windows platform.

VMware KB: Identifying VMware vCenter Single Sign-On server deployment mode.

A flaw in Bash, the most common Linux command shell, from 22 years ago that was discovered and incompletely patched earlier this year is reported to pose a very severe threat to systems that include it. If you use a BASH shell in Linux or other derived operating system like Android or Apple OS X (like me and I am sure many of you!) you are probably vulnerable.

According to Mitre:
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Am I vulnerable?
Edit for the time being: You are. No complete public fix has been posted yet, for the new CVE (CVE-2014-7169). The instructions I give below are only sufficient to close off part of the vulnerability.
There is an easy check. Open a terminal and paste the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
It simply sets the environment variable called x to the value ‘() { :;}; echo vulnerable’. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run ‘echo vulnerable’ at parsing of environment at bash start-up, which just prints vulnerable to standard out.

If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
If you are vulnerable, then you will see:
vulnerable
hello

Here is a link to more information from the Register: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
Here is an article from TrendMicro that also describes the vulnerability: http://blog.trendmicro.com/trendlabs-security-intelligence/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271/

Several of the vendors we have partnerships with are investigating their products to determine their vulnerability and response.

F5 has posted the security advisory: http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
VMware has posted in their security and compliance blog that they are investigating: http://blogs.vmware.com/security/2014/09/vmware-investigating-bash-command-injection-vulnerability-aka-shell-shock-cve-2014-6271-cve-2014-7169.html
Red Hat has posted a very good description ion their security blog: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Another Red Hat post: https://access.redhat.com/articles/1200223

Here are links to the advisories and repositories from the US Government:

US Computer Emergency Readiness Team (US-CERT) Advisory: https://www.us-cert.gov/ncas/alerts/TA14-268A
NIST-National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Mitre Common Vulnerabilities and Exposures (CVE) entries: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Since the patches for Bash started being released last week, three new Bash vulnerabilities have been identified: – These are new since I sent out the email last week. If systems were patched on Friday, they are probably vulnerable now unless the new patches have been applied!

US Computer Emergency Readiness Team (US-CERT) Advisory: https://www.us-cert.gov/ncas/alerts/TA14-268A

Vulnerability Note VU#252743 GNU Bash shell executes commands in exported functions in environment variables: http://www.kb.cert.org/vuls/id/252743 – This is a very good article describing affected systems

NIST-National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187

Mitre Common Vulnerabilities and Exposures (CVE) entries: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Shellshocker.net https://shellshocker.net/ – Another terrific resource for understanding and testing for the 5 vulnerabilities identified so far and instructions on patching a number of operating systems.

Additional articles and advisories from vendors:

Novell/SUSE SLES 11 is affected: https://www.novell.com/support/kb/doc.php?id=7015705

Updated Knowledgebase article listing vulnerabilities in VMware products: KB 2090740  – This list is long as VMware maintains dozens of Linux based virtual appliances.

Palo Alto Networks Security Advisory: https://securityadvisories.paloaltonetworks.com/Home/Detail/24

Earlier this month, I received notification from Corey Romero and the VMware Social Media Team that I have been selected as a vExpert for 2014. I am honored to be included among the 754 vExperts that were announced here.

Congratulations to everyone who was selected, particularly my fellow ENS, Inc. employee Jason Kaplan-Coleman!

I am looking forward to being engaged within the vExpert and wider VMware community and see this as further motivation to take my participation to a higher level.

I have had quite a number of adventures with IT in the last year. In that time, I have taught a number of vSphere 5 courses for VMware Education, Designed a couple of View 4.x and 5 environments for public sector clients. Designed and am now in the process of implementing a vCloud Director/vSphere 5 based environment to allow for and support the consolidation of up to 28 separate public sector departments, boards and commissions into a shared, consolidated infrastructure.
I have also recently been promoted to Chief Technical Officer of the consulting firm where I have worked for the past 11 years.
I have quite a large amount of documentation that I have produced and hope to go through those documents and pick out items that I found to be challenging to implement or poorly documented.

VMware ESX 4.0, Patch ESX400-Update01
From the release notes:

VMware View 4.0 support – This release adds support for VMware View 4.0, a solution built specifically for delivering desktops as a managed service from the protocol to the platform.

Windows 7 and Windows 2008 R2 support –This release adds support for 32-bit and 64-bit versions of Windows 7 as well as 64-bit Windows 2008 R2 as guest OS platforms. In addition, the vSphere Client is now supported and can be installed on a Windows 7 platform. For a complete list of supported guest operating systems with this release, see the VMware Compatibility Guide.

Enhanced Clustering Support for Microsoft Windows – Microsoft Cluster Server (MSCS) for Windows 2000 and 2003 and Windows Server 2008 Failover Clustering is now supported on an VMware High Availability (HA) and Dynamic Resource Scheduler (DRS) cluster in a limited configuration. HA and DRS functionality can be effectively disabled for individual MSCS virtual machines as opposed to disabling HA and DRS on the entire ESX/ESXi host.

Enhanced VMware Paravirtualized SCSI Support – Support for boot disk devices attached to a Paravirtualized SCSI ( PVSCSI) adapter has been added for Windows 2003 and 2008 guest operating systems. Floppy disk images are also available containing the driver for use during the Windows installation by selecting F6 to install additional drivers during setup. Floppy images can be found in the /vmimages/floppies/ folder.

Improved vNetwork Distributed Switch Performance – Several performance and usability issues have been resolved resulting in the following:

Improved performance when making configuration changes to a vNetwork Distributed Switch (vDS) instance when the ESX/ESXi host is under a heavy load
Improved performance when adding or removing an ESX/ESXi host to or from a vDS instance

Increase in vCPU per Core Limit – The limit on vCPUs per core has been increased from 20 to 25. This change raises the supported limit only. It does not include any additional performance optimizations. Raising the limit allows users more flexibility to configure systems based on specific workloads and to get the most advantage from increasingly faster processors. The achievable number of vCPUs per core depends on the workload and specifics of the hardware.

Enablement of Intel Xeon Processor 3400 Series – Support for the Xeon processor 3400 series has been added.

ESX 4.0 Update 1 requires a host reboot and VM shutdown.

Note that several of the upgrade methods that were available with past ESX editions are not available. These include the GUI or text mode upgrade from CD, scripted upgrade from CD or PXE boot and upgrade with a tarball via the service console. Only the vSphere Host Update Utility and VMware Update Manager are supported for performing upgrades from ESX 3.x to ESX 4.0 Update 1

Cisco Nexus 1000v
VEM-4.0.0-update01-v100

VMware vCenter 4.0 Update 1
From the release notes:

This update release of VMware vCenter Server 4.0 Update 1 offers the following improvements:

IBM DB2 Database Support for vCenter Server — This release adds support for IBM DB2 9.5 as the backend database platform for VMware vCenter Server 4.0. The following editions of IBM DB2 are supported:

• IBM DB2 Enterprise 9.5
• IBM DB2 Workgroup 9.5
• IBM DB2 Express 9.5
• IBM DB2 Express-C 9.5

VMware View 4.0 support — This release adds support for VMware View 4.0, a solution built specifically for delivering desktops as a managed service from the protocol to the platform.
Windows 7 and Windows 2008 R2 support — This release adds support for 32-bit and 64-bit versions of Windows 7 as well as 64-bit Windows 2008 R2 as guest operating system platforms. In addition, the vSphere Client is now supported and can be installed on a Windows 7 platform.
Pre-Upgrade Checker Tool — A standalone pre-upgrade checker tool is now available as part of the vCenter Server installation media that proactively checks ESX hosts for any potential issues that you might encounter while upgrading vCenter agents on these hosts as part of the vCenter Server upgrade process. You can run this tool independently prior to upgrading an existing vCenter Server instance. The tool can help identify any configuration, networking, disk space or other ESX host-related issues that could prevent ESX hosts from being managed by vCenter Server after a successful vCenter Server upgrade.
HA Cluster Configuration Maximum — HA clusters can now support 160 virtual machines per host in HA Cluster of 8 hosts or less. The maximum number of virtual machines per host in cluster sizes of 9 hosts and above is still 40, allowing a maximum of 1280 Virtual Machines per HA cluster.

vCenter Server 4.0 Update 1 includes updates to VMware Converter Enterprise, VMware Update Manager, VMware Guided Consolidation and VMware Orchestrator

VMware Data Recovery 1.1

The following enhancements are included in Data Recovery 1.1

File Level Restore Functionality is Officially Supported
File Level Restore (FLR) provides a way to access individual files within restore points for Windows virtual machines. In previous versions of Data Recovery, FLR was provided as an experimental feature. File Level Restore feature is now officially supported.

Integrity Check Stability and Performance Improved
The integrity check process is faster and more stable. Note that integrity checks are computationally intensive processes and can take significant periods of time. The exact amount of time integrity checks take varies based on of the size of the deduplication store. Even with these enhancements, integrity checks that take several hours are not unexpected.

Integrity Checks Provides Improved Progress Information
When an integrity check is running, a progress indicator is displayed. This progress indicator has been improved, although it does not provide the optimal level of detail.

Enhanced CIFS Shares Support

Patches are available on the downloads page.
One of the locations that VMware lists updates is on the VMware Knowledge Base Blog.