Operating System:

[WIN][LINUX][HP-UX][Solaris][AIX]

Published:

29 September 2014

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2014.1691 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1691
           IBM HTTP Server and IBM WebSphere Application Server
                      (CVE-2014-6271, CVE-2014-7169)
                             29 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM HTTP Server
                   IBM WebSphere Application Server
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-7169 CVE-2014-6271 

Reference:         ASB-2014.0110
                   ESB-2014.1682
                   ESB-2014.1680
                   ESB-2014.1679
                   ESB-2014.1673
                   ESB-2014.1672
                   ESB-2014.1671
                   ESB-2014.1669

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21685433

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM HTTP Server and IBM WebSphere Application Server (CVE-2014-6271, 
CVE-2014-7169)

Document information

More support for:
IBM HTTP Server

Software version:
6.0.2, 6.1, 7.0, 8.0, 8.5, 8.5.5

Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition:
All Editions

Reference #:
1685433

Modified date:
2014-09-26

Flash (Alert)

Abstract

IBM HTTP Server and WebSphere Application Server are not vulnerable to 
CVE-2014-6271 or CVE-2014-7169 Bash vulnerability as shipped out of the box, 
but action is required to ensure no vulnerable scripts have been added to IBM
HTTP Server.

Content

CVE-2014-6271 and CVE-2014-7169 vulnerabilities (also called Shellshock) 
affects Bash that is delivered in Unix platforms. Fixes for Bash will come 
from Unix distribution. IBM HTTP Server (IHS) does not ship bash nor ship any
CGI scripts. IHS does not provide any vulnerable bash-based usage that could 
be tainted with user supplied data, but several modules included with IHS 
could be vulnerable.

If you have scripts that contain a bash dependency either directly or 
indirectly you may be vulnerable to a remote attack if they are configured to
be invoked by the following Apache modules: mod_cgi, mod_cgid, mod_fastcgi, 
mod_include or mod_ext_filter.

By default:

mod_cgid/mod_cgi will execute any scripts added to $IHSROOT/cgi-bin/ (which is
shipped empty) and can be configured to execute scripts from other directories
via ScriptAlias or "Options" directives including ExecCGI (including "Options
All")

mod_include is loaded but not configured to process any includes (Options 
+Includes, XbitHack ON)

mod_ext_filter is not loaded or configured

mod_fastcgi is not loaded or configured

Use of these modules or directives may be via httpd.conf, an "Include"ed 
configuration file, or in an .htaccess file. You can confirm the list of 
loaded modules by running apachetcl -M (or httpd.exe -M) with any additional 
arguments (such as -f) that you normally use.

Remediation:

IBM highly recommends upgrading your bash from your operating system vendor. 
If you cannot apply the fixes for bash, unload the following IBM HTTP Server 
modules: mod_cgid, mod_cgi, mod_fastcgi, mod_include and mod_ext_filter until
you can apply the bash fix or determine that the scripts these modules have 
been configured to execute do not use bash directly or indirectly.

Change History:

25 September 2014: original document published

26 September 2014: added mod_include and mod_ext_filter, clarified some 
vulnerable instances

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVCj2qhLndAQH1ShLAQK8vxAAvTUWISyxJYHQAxWGjEPNNFcm39Ut7N7y
0ng7SJCbiICOpA2Eg8XuKy7U4wVPUWEs0bp3XjS51bQp85NfOUHrVSKZgAeTIVkB
tRqvbFyudVcXZxO+iu5NyFCZqPonoHghAUQRVdqBk5MFHHOuqo/+Q7tXgCY5Owsp
myorrezwNq+RUF4x/4Qm/tZeb8m0usQ91GE/S+2BsDvL1AKw6LaWXfw+JOLNz455
MxvnVgv2nzBbLiFdgRWOGslbao0oae3ahkIK6SOBXHUeCOF6Vtt4dQGbsUeDTR0R
9hVNaFXy9mIyhqjJWEWb8OORX4sq697DzMvTTxgOr8I4jh/wdDDV1boPIEY6LF5W
qUOBCJ8rEbmUqgaQdsP3BmkvpLolTW3KmOyGu3j+r60bi79i/L3ANjehOPJ1Nx8N
v/ytQ8zElMEzBHLwHWZ39BR3hpbMyMU+6CIMOkamtBFRyX0QJPbiiBtvt7fRR7cL
vpleRS1rwdzA0TWaUqIZlT3s+9lm2jtrChoYy4gFKpfCd5UNvMXCY0t6Vke0vyI+
vLDdXrIhmpMee7lh+1s0YNDZQmGh6i6BAvsFtX4Q2Cn4z+33XEDVP7++l+mk8ypB
U1lnwNyvoOCnQSY8dVIoB5FJuPwzC7ekhEgFKgCwUXotfHIpRTUCVkrvuSAeAi5a
KhwEAgAslvQ=
=ub5W
-----END PGP SIGNATURE-----