ID

VAR-201409-1155

CVE

CVE-2014-7169

TITLE

GNU Bash shell executes commands in exported functions in environment variables

DESCRIPTION

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. CVE-2014-6271 This vulnerability is due to an insufficient fix for .A third party may be able to have unspecified impact, such as writing to a file, via a crafted environment. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04467807 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04467807 Version: 2 HPSBGN03117 rev.2 - HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-09-30 Last Updated: 2014-11-11 Potential Security Impact: Remote code execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell. NOTE: The vCAS product is vulnerable only if DHCP is enabled. References: CVE-2014-6271 CVE-2014-7169 SSRT101724 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. All vCAS versions prior to 14.10-38402 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following updates available to resolve the vulnerability in HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell. Customers should upgrade their vCAS systems using the web UI or the "casupdate" command. There are also new VirtualBox and VMware ESX images available: - VMware ESX/ESXi image: https://h20529.www2.hp.com/apt/hp-rdacas-14.10-38402.ova - VirtualBox image: https://h20529.www2.hp.com/apt/hp-rdacas-14.10-38402-vbox.ova NOTE: - HP recommends to not power-down or disconnect the vCAS until the update is available. - The vCAS pulls down the latest updates from HP by using Ubuntus apt-get facility. - HP does not push updates out on to the vCAS so customers will have to be proactive and install the latest updates. Actions Required The DHCP exploit can be mitigated by ensuring that DHCP is disabled on the vCAS as detailed in MITIGATION INFORMATION below. Download updates by using a web browser: 1. Connect to the vCAS and login as hp-admin 2. Go to Tools -> Software Updates 3. Under "Manual Actions" select Check now and then upgrade now See HP Remote Device Access vCAS User Guide, Chapter 4, Software Updates for more details: http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/action.pro cess/public/psi/manualsDisplay/?sp4ts.oid=4256914&javax.portlet.action=true&s pf_p.tpst=psiContentDisplay&javax.portlet.begCacheTok=com.vignette.cachetoken &spf_p.prp_psiContentDisplay=wsrp-interactionState%3DdocId%253Demr_na-c033816 86%257CdocLocale%253Den_US&javax.portlet.endCacheTok=com.vignette.cachetoken MITIGATION INFORMATION A Shellshock attack requires the definition of an environment variable introduced into Bash. The vCAS has three attack vectors: SSH, the lighttpd web server, and the DHCP client. - The exploit does not elevate privileges. The DHCP client uses Bash scripts and is vulnerable to Shellshock. The DHCP exploit can be mitigated by ensuring that DHCP is disabled on the vCAS. Note: HP strongly discourages the use of DHCP on the vCAS. The web UI forces the vCAS user to assign a static IP address and change the hp-admin password. A vCAS user must manually configure DHCP for use on the vCAS. A vCAS user can verify that DHCP is disabled by inspecting the file "/etc/network/interfaces" and ensuring that the "iface" line for device "eth0" is set for a static IP. Example of a static IP configuration: # The primary network interface auto eth0 iface eth0 inet static address 172.27.1.68 netmask 255.255.255.0 gateway 172.27.1.1 HISTORY Version:1 (rev.1) - 30 September 2014 Initial release Version:2 (rev.2) - 11 November 2014 Software updates available Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Existing users may upgrade to HP OneView version 1.20 using the Update Appliance feature in HP OneView. Go to the HP Software Depot site at http://www.software.hp.com and search for HP OneView. -----BEGIN PGP SIGNED MESSAGE----- CA20141001-01: Security Notice for Bash Shellshock Vulnerability Issued: October 01, 2014 Updated: October 03, 2014 CA Technologies is investigating multiple GNU Bash vulnerabilities, referred to as the "Shellshock" vulnerabilities, which were publicly disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 have been assigned to these vulnerabilities. The CA Technologies Enterprise Information Security team has led a global effort to identify and remediate systems and products discovered with these vulnerabilities. We continue to patch our systems as fixes become available, and we are providing fixes for affected CA Technologies products. CA Technologies continues to aggressively scan our environments (including servers, networks, external facing applications, and SaaS environments) to proactively monitor, identify, and remediate any vulnerability when necessary. Risk Rating High Platform AIX Android (not vulnerable, unless rooted) Apple iOS (not vulnerable unless jailbroken) Linux Mac OS X Solaris Windows (not vulnerable unless Cygwin or similar ported Linux tools with Bash shell are installed) Other UNIX/BSD based systems if Bash is installed Any other OS or JeOS that utilizes Bash Affected Products The following products have been identified as potentially vulnerable, and we have made fixes available for all of these products. CA API Management (Linux appliance only) CA Application Performance Management (TIM is the only affected APM component) CA Application Performance Management Cloud Monitor CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM) CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management Portal) CA User Activity Reporting Module (Enterprise Log Manager) Note: This security notice will be updated if other CA Technologies products are determined to be vulnerable. In most cases, the Bash vulnerabilities will need to be patched by OS vendors. Exceptions may include CA Technologies appliances, and software products that include Linux, UNIX or Mac OS X based operating systems (that include Bash). Affected Components CentOS Cygwin GNU Bash Red Hat Enterprise Linux SUSE Linux Non-Affected Products IMPORTANT NOTE: This listing includes only a small subset of the unaffected CA Technologies products. We're including unaffected products that customers have already inquired about. While the following CA Technologies products are not directly affected by the Bash vulnerabilities, the underlying operating systems that CA Technologies software is installed on may be vulnerable. We strongly encourage our customers to follow the recommendations provided by their vendors for all operating systems they utilize. All CA SaaS / On Demand products were either not vulnerable or have already been patched. CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does not execute CGI scripts, or spawn or execute shell commands from within the app. AHS infrastructure already patched. CA Asset Portfolio Management CA AuthMinder (Arcot WebFort) CA AuthMinder for Business Users CA AuthMinder for Consumers CA AutoSys products - We use the bash shell that comes with the operating system and the customer is responsible for patching their OS. Additionally, the agents themselves do not distribute any scripts that use bash. CA Clarity On Demand CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or use it, but because we are deployed on RHEL, customers may be indirectly affected. Customers using RHEL should apply patches provided by Red Hat. CA Console Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA ControlMinder CA DataMinder (formerly DLP) products – Software and appliance confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH or Web apps are used in these agents. Customers should patch bash shell on any Linux server with DataMinder agents. DataMinder agents should continue to function normally. CA Digital Payments SaaS (previously patched) CA Directory CA eCommerce SaaS / On Demand (previously patched) CA Endevor Software Change Manager CA Federation (formerly SiteMinder Federation) CA GovernanceMinder CA IdentityMinder CA Infrastructure Management CA JCLCheck CA Job Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA NetQoS GigaStor Observer Expert CA Network Flow Analysis CA Performance Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA RiskMinder CA Service Desk Manager CA Service Operations Insight (SOI) CA SiteMinder CA SOLVE:Access CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes from your underlying operating system vendor. CA Strong Authentication CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Top Secret CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Virtual Assurance for Infrastructure Managers (VAIM) Solution CA Technologies has issued the following fixes to address the vulnerabilities. CA API Management: Patches for Linux appliance are available through CA Support to customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0, 7.1, 8.0, 8.1, 8.1.1, 8.1.02). CA Application Performance Management: KB article for APM TIM has been published. APM TIM is the only part of APM that was affected. Refer to TEC618037. CA Application Performance Management Cloud Monitor: New images are available for subscribers. Download the latest OPMS version 8.2.1.5. For assistance, contact CA Support. CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM): Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do not use Bash at all for the CEM operating system that we have shipped in the past. This means that customers who patch the OS will not impact the ability of the CEM TIMsoft from operating. However prior to version 9.6, the TIM installation script does use the bash shell. See new KB article TEC618037 for additional information. CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal): Fixes for all Bash vulnerabilities and a security bulletin are available on the Layer 7 Support website. CA User Activity Reporting Module (Enterprise Log Manager): All 12.5 and 12.6 GA versions are potentially affected. Patches provided on 2014-09-30. To get the patch, use the OS update functionality to get the latest R12.6 SP1 subscription update. Note that you can update R12.5 SPx with the R12.6 SP1 OS update. For assistance, contact CA Support. Workaround None To help mitigate the risk, we do strongly encourage all customers to follow patch management best practices, and in particular for operating systems affected by the Bash Shellshock vulnerabilities. References CVE-2014-6271 - Bash environment variable command injection CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271 CVE-2014-7186 - Bash parser redir_stack memory corruption CVE-2014-7187 - Bash nested flow control constructs off-by-one CVE-2014-6277 - Bash untrusted pointer use uninitialized memory CVE-2014-6278 - Bash environment variable command injection CA20141001-01: Security Notice for Bash Shellshock Vulnerability https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Change History v1.0: 2014-10-01, Initial Release v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM, Clarity OD, All SaaS/OD products to list of Non-Affected Products. v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated UARM solution info. If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com. PGP key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsBVAwUBVDK+PZI1FvIeMomJAQFl/Af/TqrSE/h4r3gs9PwrWKdt21PCRI3za9Lx M5ZyTdVDIQ9ybgPkLqsovNRPgVqd7zwDHsx0rzvF5Y82uO+vQ63BuEV2GnczAax/ EiAW4WVxUgWG+lAowGV55Of8ruv/gOiAWTjFhkqpsyVg96ZMw2HLG62IwZL1j0qa oLCu0y3VrGvqH0g2hi75QwHAjNCdlEsD4onUqTCc9cRTdLwFCZrUQ8KTrqIL7LK5 Uo5T9C1UeAyNTo3KiJ/zw3BCOTkpl99dmg3NW0onU/1r1CXdlyS7opLB+GJ+xGwP xRQdUsOIhzfRzx7bsao2D43IhDnzJBBFJHdeMPo18WBTfJ7aUgBwGQ== =B62b -----END PGP SIGNATURE----- . This bulletin will be revised when the updates are available. MITIGATION INFORMATION HP recommends the following steps to reduce the risk of this vulnerability: - The "ssh" or "telnet" features may be disabled by the admin user. All MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. HP StoreEver ESL E-series Tape Library - Disable DHCP and only use static IP addressing. HP Virtual Library System (VLS) - Disable DHCP and only use static IP addressing. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. Open the PXE Configuration Utility on the HP Insight Control server deployment window Select Linux Managed from the Boot Menu options Click the Edit button. Clicking the Edit button displays the Edit Shared Menu Option window Uncheck the x86 option in Operating System and Processor Options and click OK. vulnerability. HP GNV Website: http://h71000.www7.hp.com/opensource/gnv.html Sourceforge: IA64: https://sourceforge.net/projects/gnv/files/GNV%20-%20I64/V3.0-1/ Alpha: https://sourceforge.net/projects/gnv/files/GNV%20-%20Alpha/V3.0-1/ HP Bash Version for OpenVMS Platform Patch Kit Name v1.14-8 Alpha OpenVMS V8.3, V8.4 HP-AXPVMS-GNV-BASH-V0114-08.ZIP v1.14-8 ITANIUM OpenVMS V8.3, V8.3-1H1, V8.4 HP-AXPVMS-GNV-BASH-V0114-08.ZIP HISTORY Version:1 (rev.1) - 12 January 2015 Initial release Support: For further information, contact normal HP Services support channel. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2015 Hewlett-Packard Development Company, L.P. Relevant Releases (Affected products for which remediation is present) vCenter Log Insight 2.0 3. Problem Description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. VMware products have been grouped into the following four product categories: I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor ================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi any ESXi Not affected ESX 4.1 ESX Patch pending * ESX 4.0 ESX Patch pending * * VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. Table 2 - Products that are shipped as a (virtual) appliance. ============================================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server Appliance 5.x Linux Patch Pending Horizon DaaS Platform 6.x Linux Patch Pending Horizon Workspace 1.x, 2.x Linux Patch Pending IT Business Management Suite 1.x Linux Patch Pending NSX for Multi-Hypervisor 4.x Linux Patch Pending NSX for vSphere 6.x Linux Patch Pending NVP 3.x Linux Patch Pending vCenter Converter Standalone 5.x Linux Patch Pending vCenter Hyperic Server 5.x Linux Patch Pending vCenter Infrastructure Navigator 5.x Linux Patch Pending vCenter Log Insight 1.x, 2.x Linux 2.0 U1 vCenter Operations Manager 5.x Linux Patch Pending vCenter Orchestrator Appliance 4.x, 5.x Linux Patch Pending vCenter Site Recovery Manager 5.x Linux Patch Pending ** vCenter Support Assistant 5.x Linux Patch Pending vCloud Automation Center 6.x Linux Patch Pending vCloud Automation Center Application Services 6.x Linux Patch Pending vCloud Director Appliance 5.x Linux Patch Pending vCloud Connector 2.x Linux Patch Pending vCloud Networking and Security 5.x Linux Patch Pending vCloud Usage Meter 3.x Linux Patch Pending vFabric Application Director 5.x, 6.x Linux Patch Pending vFabric Postgres 9.x Linux Patch Pending Viewplanner 3.x Linux Patch Pending VMware Application Dependency Planner x.x Linux Patch Pending VMware Data Recovery 2.x Linux Patch Pending VMware HealthAnalyzer 5.x Linux Patch Pending VMware Mirage Gateway 5.x Linux Patch Pending VMware Socialcast On Premise x.x Linux Patch Pending VMware Studio 2.x Linux Patch Pending VMware TAM Data Manager x.x Linux Patch Pending VMware Workbench 3.x Linux Patch Pending vSphere App HA 1.x Linux Patch Pending vSphere Big Data Extensions 1.x, 2.x Linux Patch Pending vSphere Data Protection 5.x Linux Patch Pending vSphere Management Assistant 5.x Linux Patch Pending vSphere Replication 5.x Linux Patch Pending vSphere Storage Appliance 5.x Linux Patch Pending ** This product includes Virtual Appliances that will be updated, the product itself is not a Virtual Appliance. Solution vCenter Log Insight ---------------------------- Downloads: https://www.vmware.com/go/download-vcenter-log-insight (click Go to Downloads) Documentation: http://kb.vmware.com/kb/2091065 5. References VMware Knowledge Base Article 2090740 http://kb.vmware.com/kb/2090740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 , http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 - ------------------------------------------------------------------------ 6. Change Log 2014-09-30 VMSA-2014-0010 Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Policy https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. ============================================================================ Ubuntu Security Notice USN-2363-1 September 25, 2014 bash vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Bash allowed bypassing environment restrictions in certain environments. (CVE-2014-7169) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.2 Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.3 Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.2 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: rhev-hypervisor6 security update Advisory ID: RHSA-2014:1354-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1354.html Issue date: 2014-10-02 CVE Names: CVE-2014-1568 CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 ===================================================================== 1. Summary: An updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Relevant releases/architectures: RHEV-M 3.4 - noarch 3. Description: The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package. Package List: RHEV-M 3.4: Source: rhev-hypervisor6-6.5-20140930.1.el6ev.src.rpm noarch: rhev-hypervisor6-6.5-20140930.1.el6ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1568.html https://www.redhat.com/security/data/cve/CVE-2014-6271.html https://www.redhat.com/security/data/cve/CVE-2014-7169.html https://www.redhat.com/security/data/cve/CVE-2014-7186.html https://www.redhat.com/security/data/cve/CVE-2014-7187.html https://access.redhat.com/security/updates/classification/#critical 8

AFFECTED PRODUCTS