Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0114
Oracle have released updates which correct bash
vulnerabilities in numerous products
3 October 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle products
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-7187 CVE-2014-7186 CVE-2014-7169
CVE-2014-6278 CVE-2014-6277 CVE-2014-6271
Member content until: Sunday, November 2 2014
Reference: ASB-2014.0111
ASB-2014.0110
ESB-2014.1764
ESB-2014.1760
ESB-2014.1755
ESB-2014.1749
OVERVIEW
Oracle has released updates addressing GNU Bash vulnerabilities in
numerous products. [1]
Product Patch
======= =====
Big Data Appliance [Product ID 9734] MOS note 1930758.1
Oracle Audit Vault and Database Firewall [Product ID 9749] MOS note 1931021.1
Oracle Database Appliance 12.1.2, 2.X [Product ID 9435] MOS note 8888888.1
Oracle Database Firewall 5.1 [Product ID 8958] MOS note 1931004.1
Oracle Exadata Storage Server Software [Product ID 2546] MOS note 1405320.1
Oracle Exalogic [Product ID 9415] MOS note 1929881.1
Oracle Exalytics [Product ID 9736] MOS note 1930588.1
Oracle Key Vault [Product ID 10221] MOS note 1931880.1
Oracle Linux 4, 5, 6, 7 [Product ID 1309] MOS note 1930120.1
Oracle Solaris Operating System 8, 9, 10,11 [Product ID 10006] MOS note 1930090.1
Oracle SuperCluster [Product ID 10011] MOS note 1930608.1
Oracle Virtual Compute Appliance Software [Product ID 10635] MOS note 1930502.1
Oracle VM 2.2, 3.0, 3.1, 3.2, 3.3 [Product ID 4455] MOS note 1929782.1
Oracle also states "Global Product Security has determined that the
following 49 products are using Bash in at least one version of the
product and thus are likely subject to CVE-2014-7169 and that do not
have fixes available". [1]
Brocade (McData) Fiber Channel Switches and Management Software [Product ID 9864]
Cisco MDS Fiber Channel Switches and Management Software [Product ID 9865]
Linear Tape File System Library Edition (LTFSLE) [Product ID 10259]
Live Help on Demand [Product ID 9360]
Oracle CloudNet Gateway [Product ID 11158]
Oracle Communications Application Orchestrator - Server Perpetual (version 74M1)
[Product ID 11189]
Oracle Communications Application Session Controller [Product ID 10769]
Oracle Communications Diameter Intelligence Hub [Product ID 11126]
Oracle Communications Diameter Signaling Router - Full Address Resolution
[Product ID 11127]
Oracle Communications Diameter Signaling Router [Product ID 10899]
Oracle Communications EAGLE Application Processor [Product ID 11122]
Oracle Communications EAGLE Collector Application Processor [Product ID 11120]
Oracle Communications EAGLE LNP Application Processor [Product ID 11118]
Oracle Communications Enterprise Trunk Manager [Product ID 10760]
Oracle Communications Interactive Session Recorder [Product ID 10765]
Oracle Communications Local Service Management System [Product ID 11114]
Oracle Communications Performance Intelligence center [Product ID 11044]
Oracle Communications Policy Controller [Product ID 10595]
Oracle Communications Policy Management [Product ID 10900]
Oracle Communications Service Broker Engineered System Edition 6.0
[Product ID 9065]
Oracle Communications Session Element Manager [Product ID 11052]
Oracle Communications Session Monitor [Product ID 10761]
Oracle Communications Session Report Manager [Product ID 10770]
Oracle Communications Session Route Manager [Product ID 10771]
Oracle Communications Subscriber Data Management [Product ID 10901]
Oracle Communications User Data Repository [Product ID 11108]
Oracle Communications WebRTC Session Controller [Product ID 10811]
Oracle Fabric Interconnect [Product ID 10529]
Oracle Fusion Applications Lifecycle Management Tools - Provisioning
[Product ID 5643]
Oracle Integrated Lights Out Manager [Product ID 9849]
Oracle StorageTek Linear Tape File System (LTFS) [Product ID 10564]
Oracle Sun Data Center InfiniBand Switch 36 (NM2-36P) [Product ID 9886]
Oracle Sun Network QDR InfiniBand Gateway Switch (NM2-GW) [Product ID 9885]
Oracle Switch ES1-24 [Product ID 9889]
PeopleSoft PeopleTools [Product ID 5085]
Pillar Axiom 600 Storage System 4, 5 [Product ID 9504]
Recommendations On-Demand [Product ID 9366]
SPARC - OPL Service Processor (XCP) (SP software for SPARC M10-1/M10-4/M10-4S
servers) [Product ID 10656]
SPARC - OPL Service Processor (XCP) (SP software for SPARC M3000/M4000/
M5000/M8000/M9000 servers) [Product ID 9845]
Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889]
Sun Network 10GE Switch 72p [Product ID 9889]
Sun ZFS Storage Appliance Kit (AK) [Product ID 10026]
Tape General LTFS LE - Linear Tape File System Library Edition [Product ID 10084]
Tape Virtual VLE - Virtual Library Extension [Product ID 10116]
Tape Virtual VSM - Virtual Tape SubSystem [Product ID 10117]
Tekelec HLR Router [Product ID 11047]
Tekelec Platform Distribution [Product ID 11107]
Tekelec Platform Management & Configuration [Product ID 11106]
Tekelec Virtual Operating Environment [Product ID 11105]
IMPACT
Limited impact details have been published by Oracle in their Oracle
Sun Systems Products Suite and Oracle Linux Risk Matrices. [2]
MITIGATION
Oracle states "Due to the severity, public disclosure, and reports
of active exploitation of CVE-2014-7169 and the related
vulnerabilities, Oracle strongly recommends that customers apply the
fixes provided by this Security Alert as soon as they are released
by Oracle." [2]
REFERENCES
[1] Bash Vulnerabilities - CVE-2014-7169
http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
[2] Oracle Security Alert for CVE-2014-7169
http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVC4r7BLndAQH1ShLAQIcIw/8CQiMrEehJsUZr+ceUUOjH44ykuXvQwW7
BR95e4fAMpmpjKj8xqhcgXmSa0oQXNCQxJ0YdeqN+31Fg2YlQe+wZ7jwCVK4RxIs
yF+P/a3r5JmZl0z5Rd2yduewKsqZB2epDbdoyfDfwSMkic4jUalrc13+SrSJhn3I
Mzt2tisuqklz5gQb5SDZUsYNLFqFsZ3VLNKH+T0ZePuSlxf64xXFFwHvAgrA/wqS
KZj9362smQ9hAU483tqo9ft0teV3RRR0wDVVX5+zdRBq7HFhmCpFMG4TityjzHK5
/+qhJCnaLWFOUbsHK6qAntY2yEduhNyz819qAYXXVdCQ4DgI1UrXq+s/AJf57OGX
848gxN3F8MTihU6fiCjlBbRZU897GRMBc3Se6RGuaC7zMMnSthBg/bfxLhwAoARG
FKa+9FdSqphQQVH4834bZ/9egW3sUjLngOmYr1yJ4CqadRdQc+wZDzZw9c3kRaTD
fKBupZ5Ay4SflIB1Zky5KyWwTBWLdZsXr+ocFTC15Xb6RTCKJ8JRYMqS702j2NJY
H7hLYCHqDua8Tgvnq8lreot00STZ6qpbKVHfx2oSlB9cbgly5oWYRl+mv/7Ky+gu
Xt0jTe6rHi+DdC1sOZ7bn7eJeS1ksPnSgZDqHggwykv6jhid/o4Q+kL2Dj8eN0ig
LESYGBDnD6I=
=0Q+J
-----END PGP SIGNATURE-----