Late last week, I posted a reply in the CA IM Community with regard to news of a bash vulnerability named "Shellshock." As initially suspected and noted in my post, this bash vulnerability is related to a system's OS platform and did not originate in any CA code. Since the vulnerability is bash related, it is not specific to any one CA product unless that product bundles bash.
While each CA product team will address this vulnerability for their product revisions and affected OS’s, this bash vulnerability will primarily be addressed by OS vendors, and the affected OS platforms will need to be patched by the end user or server manager.
With specific regard to CA eHealth:
The eHealth development team has tested all current eHealth releases (6.2.x, 6.3.x) including those with the NutCracker kernel (pre-r6.3.0) and have found that CA eHealth is *not* vulnerable to the bash shell bug. Specifically,
- The bash vulnerability is not present in any of the current eHealth downloads for Solaris or Red Hat Linux (RHEL).
- CA eHealth r.6.2.2 for Windows is not vulnerable since it does not include the affected bash code.
- CA eHealth r6.3.2.xx for Windows is not vulnerable since it does not include the affected bash code.
CA eHealth customers running the affected bash shell should patch their servers following the guidance of their OS platform vendor or bash provider. As always, it is critical to remain up to date on all CA product revisions and patches in order to protect against potential security vulnerabilities.
###
For more info on Shellshock:
Bug 1141597 – CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
OS vendor's vulnerability sites:
Red Hat FAQ's:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Oracle Solaris:
https://community.oracle.com/thread/3612825
As a final note, please open a ticket at support.ca.com with your regional product support team if the info above or at the OS vendor sites do not provide all the information you need.
-Margaret