Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0114 Oracle have released updates which correct bash vulnerabilities in numerous products 3 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle products Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-7187 CVE-2014-7186 CVE-2014-7169 CVE-2014-6278 CVE-2014-6277 CVE-2014-6271 Member content until: Sunday, November 2 2014 Reference: ASB-2014.0111 ASB-2014.0110 ESB-2014.1764 ESB-2014.1760 ESB-2014.1755 ESB-2014.1749 OVERVIEW Oracle has released updates addressing GNU Bash vulnerabilities in numerous products. [1] Product Patch ======= ===== Big Data Appliance [Product ID 9734] MOS note 1930758.1 Oracle Audit Vault and Database Firewall [Product ID 9749] MOS note 1931021.1 Oracle Database Appliance 12.1.2, 2.X [Product ID 9435] MOS note 8888888.1 Oracle Database Firewall 5.1 [Product ID 8958] MOS note 1931004.1 Oracle Exadata Storage Server Software [Product ID 2546] MOS note 1405320.1 Oracle Exalogic [Product ID 9415] MOS note 1929881.1 Oracle Exalytics [Product ID 9736] MOS note 1930588.1 Oracle Key Vault [Product ID 10221] MOS note 1931880.1 Oracle Linux 4, 5, 6, 7 [Product ID 1309] MOS note 1930120.1 Oracle Solaris Operating System 8, 9, 10,11 [Product ID 10006] MOS note 1930090.1 Oracle SuperCluster [Product ID 10011] MOS note 1930608.1 Oracle Virtual Compute Appliance Software [Product ID 10635] MOS note 1930502.1 Oracle VM 2.2, 3.0, 3.1, 3.2, 3.3 [Product ID 4455] MOS note 1929782.1 Oracle also states "Global Product Security has determined that the following 49 products are using Bash in at least one version of the product and thus are likely subject to CVE-2014-7169 and that do not have fixes available". [1] Brocade (McData) Fiber Channel Switches and Management Software [Product ID 9864] Cisco MDS Fiber Channel Switches and Management Software [Product ID 9865] Linear Tape File System Library Edition (LTFSLE) [Product ID 10259] Live Help on Demand [Product ID 9360] Oracle CloudNet Gateway [Product ID 11158] Oracle Communications Application Orchestrator - Server Perpetual (version 74M1) [Product ID 11189] Oracle Communications Application Session Controller [Product ID 10769] Oracle Communications Diameter Intelligence Hub [Product ID 11126] Oracle Communications Diameter Signaling Router - Full Address Resolution [Product ID 11127] Oracle Communications Diameter Signaling Router [Product ID 10899] Oracle Communications EAGLE Application Processor [Product ID 11122] Oracle Communications EAGLE Collector Application Processor [Product ID 11120] Oracle Communications EAGLE LNP Application Processor [Product ID 11118] Oracle Communications Enterprise Trunk Manager [Product ID 10760] Oracle Communications Interactive Session Recorder [Product ID 10765] Oracle Communications Local Service Management System [Product ID 11114] Oracle Communications Performance Intelligence center [Product ID 11044] Oracle Communications Policy Controller [Product ID 10595] Oracle Communications Policy Management [Product ID 10900] Oracle Communications Service Broker Engineered System Edition 6.0 [Product ID 9065] Oracle Communications Session Element Manager [Product ID 11052] Oracle Communications Session Monitor [Product ID 10761] Oracle Communications Session Report Manager [Product ID 10770] Oracle Communications Session Route Manager [Product ID 10771] Oracle Communications Subscriber Data Management [Product ID 10901] Oracle Communications User Data Repository [Product ID 11108] Oracle Communications WebRTC Session Controller [Product ID 10811] Oracle Fabric Interconnect [Product ID 10529] Oracle Fusion Applications Lifecycle Management Tools - Provisioning [Product ID 5643] Oracle Integrated Lights Out Manager [Product ID 9849] Oracle StorageTek Linear Tape File System (LTFS) [Product ID 10564] Oracle Sun Data Center InfiniBand Switch 36 (NM2-36P) [Product ID 9886] Oracle Sun Network QDR InfiniBand Gateway Switch (NM2-GW) [Product ID 9885] Oracle Switch ES1-24 [Product ID 9889] PeopleSoft PeopleTools [Product ID 5085] Pillar Axiom 600 Storage System 4, 5 [Product ID 9504] Recommendations On-Demand [Product ID 9366] SPARC - OPL Service Processor (XCP) (SP software for SPARC M10-1/M10-4/M10-4S servers) [Product ID 10656] SPARC - OPL Service Processor (XCP) (SP software for SPARC M3000/M4000/ M5000/M8000/M9000 servers) [Product ID 9845] Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889] Sun Network 10GE Switch 72p [Product ID 9889] Sun ZFS Storage Appliance Kit (AK) [Product ID 10026] Tape General LTFS LE - Linear Tape File System Library Edition [Product ID 10084] Tape Virtual VLE - Virtual Library Extension [Product ID 10116] Tape Virtual VSM - Virtual Tape SubSystem [Product ID 10117] Tekelec HLR Router [Product ID 11047] Tekelec Platform Distribution [Product ID 11107] Tekelec Platform Management & Configuration [Product ID 11106] Tekelec Virtual Operating Environment [Product ID 11105] IMPACT Limited impact details have been published by Oracle in their Oracle Sun Systems Products Suite and Oracle Linux Risk Matrices. [2] MITIGATION Oracle states "Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169 and the related vulnerabilities, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle." [2] REFERENCES [1] Bash Vulnerabilities - CVE-2014-7169 http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html [2] Oracle Security Alert for CVE-2014-7169 http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVC4r7BLndAQH1ShLAQIcIw/8CQiMrEehJsUZr+ceUUOjH44ykuXvQwW7 BR95e4fAMpmpjKj8xqhcgXmSa0oQXNCQxJ0YdeqN+31Fg2YlQe+wZ7jwCVK4RxIs yF+P/a3r5JmZl0z5Rd2yduewKsqZB2epDbdoyfDfwSMkic4jUalrc13+SrSJhn3I Mzt2tisuqklz5gQb5SDZUsYNLFqFsZ3VLNKH+T0ZePuSlxf64xXFFwHvAgrA/wqS KZj9362smQ9hAU483tqo9ft0teV3RRR0wDVVX5+zdRBq7HFhmCpFMG4TityjzHK5 /+qhJCnaLWFOUbsHK6qAntY2yEduhNyz819qAYXXVdCQ4DgI1UrXq+s/AJf57OGX 848gxN3F8MTihU6fiCjlBbRZU897GRMBc3Se6RGuaC7zMMnSthBg/bfxLhwAoARG FKa+9FdSqphQQVH4834bZ/9egW3sUjLngOmYr1yJ4CqadRdQc+wZDzZw9c3kRaTD fKBupZ5Ay4SflIB1Zky5KyWwTBWLdZsXr+ocFTC15Xb6RTCKJ8JRYMqS702j2NJY H7hLYCHqDua8Tgvnq8lreot00STZ6qpbKVHfx2oSlB9cbgly5oWYRl+mv/7Ky+gu Xt0jTe6rHi+DdC1sOZ7bn7eJeS1ksPnSgZDqHggwykv6jhid/o4Q+kL2Dj8eN0ig LESYGBDnD6I= =0Q+J -----END PGP SIGNATURE-----