Shellshock vulnerability is a widely known vulnerability within the bash shell for Unix, Linux and Cygwin Windows environments.
Related NVD - CVE-2014-6271.
Later CVEs also included are:
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278
Use the following command to test for the vulnerability CVE-2014-6271:
x='() { :;}; echo vulnerable' bash -c "echo done running"
If you see "Vulnerable" and "Done running" your bash shell is vulnerable to CVE-2014-6271.
If you only see "Done running" then your bash is not vulnerable.
There is further testing for the other CVEs, please see your system admin for assistance with those tests.
Solution:
Each operating system has a different solution to update the bash shell.
For Solaris:
Please see the following Document ID from Oracle: 1930090.1
Oracle Support Account required to obtain these patches from Oracle.
Link: https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=282078587706337&id=1930090.1&_afrWindowMode=0&_adf.ctrl-state=l3k69dgjq_4
For Linux:
See article from Redhat here for further details on the fixes and testing for all vulnerabilities.
https://access.redhat.com/articles/1200223
This will require a Redhat subscription.
At the command prompt as a sudo user type: sudo yum update bash
Or as root type: yum update bash
For Windows:
This will require a patch from CA to fix the Cygwin Bash shell that is shipped with all releases of Spectrum including 9.2.x, 9.3.x, and 9.4.x.
The respective patch numbers to obtain are:
09.02.00.PTF_9.2.030
09.03.00.PTF_9.3.007
09.04.00.PTF_9.4.006
The patches can be obtained here:
http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-spectrum-infrastructure-manager-solutions-patches-index.aspx
Click on your respective product version and you will see the above patches listed.
This patch will be available for 9.2, 9.3, and 9.4. 9.1 customers should upgrade to a supported release.
There is no minimum hotfix level required. This patch will install on any version for that major release.
If there are any concerns or questions, please contact CA Support.