Recently Hector Marco and Ismael Ripoll discovered a vulnerability in common Linux bootloader GRUB.
It affects GRUB2 specifically and was introduced into that version in 2009
However it doesn’t affect the original GRUB.
I was concerned about the Virtual Appliances we were running in one of our environments.
- VCSA - vCenter Server Appliance 5.5 Update 2e | 16 APR 2015| Build 2646489
- vRealize Log Insight 3.0 GA Build 3021606
- VROPS 6.1.0 Build 3038036
Each of these VApps runs on SLES 11 patch 3. Now whilst the release notes do indicate that GRUB2 is a new package it doesn’t specify that GRUB2 is now the default bootloader. VMware also refer to their Virtual Appliances as “Security Hardened” https://blogs.vmware.com/vsphere/2013/09/virtual-appliances-getting-more-secure-with-vsphere-5-5-part-1.html So whether SUSE just didn’t make GRUB2 default in 11.3 or VMware chose to revert back to GRUB a quick check on any of the appliances can show you the grub version
This command will return the GRUB version which for (all that I can tell) current vSphere 5 or 6 Virtual Appliances is version 0.97 so GRUB not GRUB2. Panic over. Normal service is resumed