This by now is a very well known issue and a bug that pre dates linux and before any type of versioning control, as far as I am aware this bug has been present at least since 1992 when version control on the code started, I was 10 years old. But what does this mean for my virtual infrastructure?
VMware have released a KB 2090740
Basically everything that isn’t installed on windows and not ESXi is potentially vulnerable.
ESXi uses busybox with ASH shell and is not effected… YAY Its still a common miss conception that ESXi is based on redhat this is not true, ESXi is a propitiatory OS its interface is based on busybox.
For those running ESX the service console is based on redhat and IS affected.
VMware will be releasing fixes for all applications including ESX.
I personally think most these big bugs that come out get get executives and IT security people into a frenzy and generally over react by wanting us to patch prod with zero testing right this very second, even though none of our stuff is internet facing….. 🙂
If none of your environment is internet facing this reduces the risk to almost nothing and really isnt an issue. While it is recommended to patch there is no need to run out today and start patching.