Recently Hector Marco and Ismael Ripoll discovered a vulnerability in common Linux bootloader GRUB.

It affects GRUB2 specifically and was introduced into that version in 2009

However it doesn’t affect the original GRUB.

I was concerned about the Virtual Appliances we were running in one of our environments.

  • VCSA - vCenter Server Appliance 5.5 Update 2e | 16 APR 2015| Build 2646489
  • vRealize Log Insight 3.0 GA Build 3021606
  • VROPS 6.1.0 Build 3038036

Each of these VApps runs on SLES 11 patch 3. Now whilst the release notes do indicate that GRUB2 is a new package it doesn’t specify that GRUB2 is now the default bootloader. VMware also refer to their Virtual Appliances as “Security Hardened” So whether SUSE just didn’t make GRUB2 default in 11.3 or VMware chose to revert back to GRUB a quick check on any of the appliances can show you the grub version

grub-install.unsupported -v

This command will return the GRUB version which for (all that I can tell) current vSphere 5 or 6 Virtual Appliances is version 0.97 so GRUB not GRUB2. Panic over. Normal service is resumed