This is released with the approval of Product Management
CUSTOMER EXPERIENCE MANAGER: 9.0, 9.1, 9.5, 9.6
Title: Bash Code Injection aka "Shellshock" and CEM TIM andTIMSoft
StandaloneCEM TIM (9.6 and higher) and TIMSoft (Other 9.x versions)
The CEM Transaction Impact Monitor (TIM) is a passive network probe that collectsbusiness transaction information on HTTP/HTTPS traffic through a network spanor tap. The CEM TIM is a C++ based application that runs on specific versionsof the Linux operating system and does not use the Bash shell for any of itsoperational functions, however prior to version 9.6, the TIM installationscript does use the bash shell.
Ithas been recently disclosed by industry experts that most versions of Unix,Linux, OSX and other variants are susceptible to a security issue that allowsthe execution of bash code injection. This is being referred to in the media as"Shellshock".
CAtakes these issues seriously and will be adding this patch to the latest 9.5.xTIMSoft software updates in the future as part of our regular release schedule.
Customerson the "software only" distribution (9.6+) of the TIM shouldinvestigate updating their operating systems with the latest security patchesfrom RedHat/CentOS.
Forcustomers on the TIMSoft, a RedHat software appliance, who cannot wait for theupdate of the distribution, we recommend that you investigate RedHat issue CVE-2014-6271. This contains the informationon where to obtain the patch and how to install it.
Note:Since at this time we have not certified that the patch does not affect the TIMinstaller pre 9.6, you should not patch the OS till the TIM software isinstalled on the TIMSoft image.
EachTIMSoft image may have different a RedHat OS level depending on the exactrevision of TIM software versions 9.1 or 9.5. If you need to determine the OSversion specifics to download the patch from RedHat you may use the followingcommand in an SSH or console session:
~# lsb_release -a
An advisory with more information will be released by Product Management..