DX NetOps

Expand all | Collapse all

Shellshock Vulnerability – CA Spectrum

  • 1.  Shellshock Vulnerability – CA Spectrum

    Posted 10-08-2014 03:40 PM

    Shellshock vulnerability is a widely known vulnerability within the bash shell for Unix, Linux and Cygwin Windows environments.

    Related NVD - CVE-2014-6271.

     

    Later CVEs also included are:

    CVE-2014-7169

    CVE-2014-7186

    CVE-2014-7187

    CVE-2014-6277

    CVE-2014-6278

     

    Use the following command to test for the vulnerability CVE-2014-6271:

    x='() { :;}; echo vulnerable' bash -c "echo done running"

    If you see "Vulnerable" and "Done running" your bash shell is vulnerable to CVE-2014-6271.

     

    If you only see "Done running" then your bash is not vulnerable.

     

    There is further testing for the other CVEs, please see your system admin for assistance with those tests.

    Solution:

     

    Each operating system has a different solution to update the bash shell.

     

    For Solaris:

    Please see the following Document ID from Oracle:  1930090.1

     

    Oracle Support Account required to obtain these patches from Oracle.

     

    Link:  https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=282078587706337&id=1930090.1&_afrWindowMode=0&_adf.ctrl-state=l3k69dgjq_4

     

    For Linux:

    See article from Redhat here for further details on the fixes and testing for all vulnerabilities.

     

    https://access.redhat.com/articles/1200223

    This will require a Redhat subscription.

     

    At the command prompt as a sudo user type:  sudo yum update bash

    Or as root type: yum update bash

     

     

    For Windows:

    This will require a patch from CA to fix the Cygwin Bash shell that is shipped with all releases of Spectrum including 9.2.x, 9.3.x, and 9.4.x.

     

    The respective patch numbers to obtain are:

    09.02.00.PTF_9.2.030

    09.03.00.PTF_9.3.007

    09.04.00.PTF_9.4.006

     

    The patches can be obtained here:

    http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-spectrum-infrastructure-manager-solutions-patches-index.aspx

     

    Click on your respective product version and you will see the above patches listed.

    This patch will be available for 9.2, 9.3, and 9.4.  9.1 customers should upgrade to a supported release.

     

    There is no minimum hotfix level required.  This patch will install on any version for that major release.

    If there are any concerns or questions, please contact CA Support.



  • 2.  Re: Shellshock Vulnerability – CA Spectrum

    Posted 10-08-2014 04:12 PM

    Hi Matt,

     

    that link brings me to an "Page Not found" and a general overview of CA's products. I tried to find the fix in the "publishes solutions", but there were none listed. Could you post a revised link?

     

    Thanks,

      Hilmar



  • 3.  Re: Shellshock Vulnerability – CA Spectrum

    Broadcom Employee
    Posted 10-08-2014 04:21 PM

    We have someone looking into why the link is not working.  For now, you can log into support.ca.com and navigate to the CA Spectrum product page.  From there under Popular Links is the Spectrum Solutions & Patches Index.  Can you try that?



  • 4.  Re: Shellshock Vulnerability – CA Spectrum

    Posted 10-08-2014 04:34 PM

    No sorry. Just brings me to that very general page too.



  • 5.  Re: Shellshock Vulnerability – CA Spectrum

    Broadcom Employee
    Posted 10-08-2014 04:42 PM

    Ok, we'll continue to look into why the link isn't working.

     

    You can still get to the patches directly by logging into ftp.ca.com as anonymous (your email is your password), then navigate to /pub/CA-SPECTRUM/Updates/GA/Shellshock_Cgywin_patch here you will see a folder for each of the Spectrum releases, in the folders is the executable and Release Note.



  • 6.  Re: Shellshock Vulnerability – CA Spectrum

    Posted 10-08-2014 04:48 PM

    That worked. Many thanks!

     

    Hilmar



  • 7.  Re: Shellshock Vulnerability – CA Spectrum

    Broadcom Employee
    Posted 10-08-2014 06:19 PM

    Wonderful.  The original link has been restored and is now working.