Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1674
IBM Security QRadar Products: Installing the fix for CVE-2014-6271
26 September 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-6271
Reference: ASB-2014.0110
ESB-2014.1673
ESB-2014.1672
ESB-2014.1671
ESB-2014.1670
ESB-2014.1669
ESB-2014.1668
ESB-2014.1660
ESB-2014.1659
ESB-2014.1657
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21685439
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM Security QRadar Products: Installing the fix for CVE-2014-6271
Flash (Alert)
Document information
More support for:
IBM Security QRadar SIEM
Installation
Software version:
7.0, 7.1, 7.2
Operating system(s):
Linux
Reference #:
1685439
Modified date:
2014-09-25
Abstract
A vulnerability exists in Bash as outlined in CVE-2014-6271 for QRadar systems
that could result in remote code execution. These instructions define how to
install the fix for CVE-2014-6271 in QRadar.
Content
An update has been released for QRadar to resolve CVE-2014-6271. This flash
notice includes information about the vulnerability and how to install the fix
on your QRadar system.
VULNERABILITY DETAILS:
CVE ID:
CVE-2014-6271
DESCRIPTION: CVE-2014-6271 bash: specially-crafted environment variables can
be used to inject shell commands.
A flaw in GNU Bash 4.3 on Red Hat Enterprise system impacts IBM QRadar
Security Information and Event Management (SIEM) systems. This vulnerability
in GNU Bash could allow for remote commands to be run on the Console or
managed hosts in the QRadar deployment. The attack does not require local
network access or authentication. An exploit can compromise the
confidentiality of information, the integrity of data and availability of the
system.
CVSS:
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96153 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
AFFECTED PRODUCTS:
IBM QRadar Security Appliances at 7.0.x, 7.1.x, and 7.2.x (all versions).
REMEDIATION:
The vulnerability can be fixed by installing the relevant Fix or FixPack
released by QRadar development.. The script released to remediate this issue
must be copied to and installed on every QRadar appliance in your deployment.
This includes QRadar Consoles, managed hosts, and HA primary and HA secondary
systems.
FILE DOWNLOAD:
The vulnerability has been fixed in the following script. The
CVE-2014-6271.sh.gz script includes the necessary files required to update
QRadar products to resolve CVE-2014-6271.
Link to IBM Fix Central - https://ibm.biz/BdF9Ad (IBM shortened URL)
WORKAROUNDS:
None
MITIGATION:
None
INSTALLATION PROCEDURE FOR STANDARD (NON-HA) APPLIANCES:
Administrators should start by patching the Console appliance, then apply the
patch to managed hosts in their networks. Any systems that are installed as HA
pairs should see the HA instructions provided below. This update requires a
system reboot.
Procedure
Download the CVE-2014-6271.sh.gz script from IBM Fix Central. This single
file contains all of the software required to patch any version of QRadar SIEM
(7.0.x, 7.1.x, or 7.2.x)
Using SCP or WinSCP (for Windows systems), copy the script to your QRadar
appliance.
To extract the file, type the following command: gunzip
CVE-2014-6271.sh.gz.
To set the correct permission on this file, type the following comand:
chmod +x CVE-2014-6271.sh.
To run the script, type the following command: ./CVE-2014-6271.sh.
The script updates the bash version to address CVE-2014-6271. After the
rpm is installed you will be required to reboot your system.
When the script has completed the update, the following message is
displayed: COMPLETE.
Type reboot and press Enter.
Repeat this procedure for every QRadar appliance in your network.
INSTALLATION PROCEDURE FOR HIGH-AVAILABILITY (HA) APPLIANCES:
This installation procedure requires the administrator to first patch the
secondary HA appliance. The secondary appliance must be patched and rebooted
before the administrator can patch to the primary system. The administrator
must force the primary to failover to the already patched secondary appliance
to make the HA secondary active. The primary HA appliance can then by patched,
rebooted, and set online.
Procedure
Download the CVE-2014-6271.sh.gz script from IBM Fix Central. This single
file contains all of the software required to patch any version of QRadar
SIEM (7.0.x, 7.1.x, or 7.2.x)
Using SCP or WinSCP (for Windows systems), copy the script to the primary
and secondary HA appliance.
To extract the files, type the following command: gunzip
CVE-2014-6271.sh.gz.
To set the correct permission on this file, type the following comand:
chmod +x CVE-2014-6271.sh.
On your HA secondary system, type the following command to install the
fix: ./CVE-2014-6271.sh
The script updates bash to version bash-4.1.2-15.el6_5.1.x86_64 to address
CVE-2014-6271. After the rpm is installed you will be required to reboot
your system.
When the script has completed the update, the following message is
displayed: COMPLETE.
Type reboot and press Enter to reboot the secondary HA appliance.
IMPORTANT: You must wait for the HA secondary to reboot before you set the
primary system offline.
Log in to the QRadar Console.
Click the Admin tab and select System and License Management icon.
Select the HA primary system.
From the toolbar, select High Availability > Set System Offline.
This fails the the primary system and the secondary will enter the active
state.
From the command-line interface of the HA primary system, type the
following command to install the fix: ./CVE-2014-6271.sh.
The script updates the bash to version to address CVE-2014-6271. After the
rpm is installed you will be required to reboot your system.
When the script has completed the update, the following message is
displayed: COMPLETE.
Type reboot and press Enter to reboot the primary HA appliance.
IMPORTANT: You must wait for the HA primary to reboot before you can set
the primary system online.
Click the Admin tab and select System and License Management icon.
Select the HA primary system.
From the toolbar, select High Availability > Set System Online.
This sets the primary system active and the secondary will enter the
standby state.
ADDITIONAL INFORMATION:
Any administrators who want to examine the script before they run the file on
their system is free to review this update. However, any examination should
take place from the Console or a Linux system to prevent file conversion
issues between Windows systems and Linux that might prevent the script from
launching as expected.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVCTtERLndAQH1ShLAQJiMg/+KfM1BSKBmiQCGo4Hc6w0ycHbE5PnZ/YC
Uj5IBvgXOi1+A040PT8E2jg6ncavGklZmZC5xMd2Xu1rCg/q/O6cKzVFQvLCgis3
71n8GeUjUqwnvBB5N/lvQB2LfJYRfHv3IcqE2EonfNqCI6mtDv+WaO2qgCzekeTQ
epHudGV9xg1cA7ZHs7vj6ttdSYYLmA1wKm9ybeEwWj/OyaRIV71R1X3iU6lYiTwT
9VVEqhIvVcbwpWp3VcK8Tus1RQQzo/cp3GCjCFOGpZW0wPlztoGuBhlLlanWr0Iv
p0bNY2xoXV0THtIAKUijSy9p+Sfm1boRHG53ngVr2UaLc+z4+17tXx5fkYMi8+7D
IlIpOCyOflaT6bQbE1E+yAqoBpknj+YrO9SFfdEzv76ggKyYuwau5eb3NK7yJEtK
9CBxFGmze6sdEqiFtW02j7sFgV5aRyr1pYXpbtwFgWntQ5JnSC9bWZuZIjymm261
7V4AQcslzR465bOwOTL5290sAAMBnU84sDGnf2eeIowhZcg9qhZTp2Y48CakiSIz
GzT1lOUcp1KivuHERoNPTdiLSFFlUwdizw3+Zbwif7Y/b9harRgZrwlAp5/Q5AaJ
fTrwjmITTETD7dp4ZURlN4rO7jZPbdDlIq9F9IOQ8c3Zho6CKgaIOdUB0s1oPsWn
RvPgoCtYgwE=
=eyg8
-----END PGP SIGNATURE-----