Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1691 IBM HTTP Server and IBM WebSphere Application Server (CVE-2014-6271, CVE-2014-7169) 29 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM HTTP Server IBM WebSphere Application Server Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-7169 CVE-2014-6271 Reference: ASB-2014.0110 ESB-2014.1682 ESB-2014.1680 ESB-2014.1679 ESB-2014.1673 ESB-2014.1672 ESB-2014.1671 ESB-2014.1669 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21685433 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM HTTP Server and IBM WebSphere Application Server (CVE-2014-6271, CVE-2014-7169) Document information More support for: IBM HTTP Server Software version: 6.0.2, 6.1, 7.0, 8.0, 8.5, 8.5.5 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS Software edition: All Editions Reference #: 1685433 Modified date: 2014-09-26 Flash (Alert) Abstract IBM HTTP Server and WebSphere Application Server are not vulnerable to CVE-2014-6271 or CVE-2014-7169 Bash vulnerability as shipped out of the box, but action is required to ensure no vulnerable scripts have been added to IBM HTTP Server. Content CVE-2014-6271 and CVE-2014-7169 vulnerabilities (also called Shellshock) affects Bash that is delivered in Unix platforms. Fixes for Bash will come from Unix distribution. IBM HTTP Server (IHS) does not ship bash nor ship any CGI scripts. IHS does not provide any vulnerable bash-based usage that could be tainted with user supplied data, but several modules included with IHS could be vulnerable. If you have scripts that contain a bash dependency either directly or indirectly you may be vulnerable to a remote attack if they are configured to be invoked by the following Apache modules: mod_cgi, mod_cgid, mod_fastcgi, mod_include or mod_ext_filter. By default: mod_cgid/mod_cgi will execute any scripts added to $IHSROOT/cgi-bin/ (which is shipped empty) and can be configured to execute scripts from other directories via ScriptAlias or "Options" directives including ExecCGI (including "Options All") mod_include is loaded but not configured to process any includes (Options +Includes, XbitHack ON) mod_ext_filter is not loaded or configured mod_fastcgi is not loaded or configured Use of these modules or directives may be via httpd.conf, an "Include"ed configuration file, or in an .htaccess file. You can confirm the list of loaded modules by running apachetcl -M (or httpd.exe -M) with any additional arguments (such as -f) that you normally use. Remediation: IBM highly recommends upgrading your bash from your operating system vendor. If you cannot apply the fixes for bash, unload the following IBM HTTP Server modules: mod_cgid, mod_cgi, mod_fastcgi, mod_include and mod_ext_filter until you can apply the bash fix or determine that the scripts these modules have been configured to execute do not use bash directly or indirectly. Change History: 25 September 2014: original document published 26 September 2014: added mod_include and mod_ext_filter, clarified some vulnerable instances - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVCj2qhLndAQH1ShLAQK8vxAAvTUWISyxJYHQAxWGjEPNNFcm39Ut7N7y 0ng7SJCbiICOpA2Eg8XuKy7U4wVPUWEs0bp3XjS51bQp85NfOUHrVSKZgAeTIVkB tRqvbFyudVcXZxO+iu5NyFCZqPonoHghAUQRVdqBk5MFHHOuqo/+Q7tXgCY5Owsp myorrezwNq+RUF4x/4Qm/tZeb8m0usQ91GE/S+2BsDvL1AKw6LaWXfw+JOLNz455 MxvnVgv2nzBbLiFdgRWOGslbao0oae3ahkIK6SOBXHUeCOF6Vtt4dQGbsUeDTR0R 9hVNaFXy9mIyhqjJWEWb8OORX4sq697DzMvTTxgOr8I4jh/wdDDV1boPIEY6LF5W qUOBCJ8rEbmUqgaQdsP3BmkvpLolTW3KmOyGu3j+r60bi79i/L3ANjehOPJ1Nx8N v/ytQ8zElMEzBHLwHWZ39BR3hpbMyMU+6CIMOkamtBFRyX0QJPbiiBtvt7fRR7cL vpleRS1rwdzA0TWaUqIZlT3s+9lm2jtrChoYy4gFKpfCd5UNvMXCY0t6Vke0vyI+ vLDdXrIhmpMee7lh+1s0YNDZQmGh6i6BAvsFtX4Q2Cn4z+33XEDVP7++l+mk8ypB U1lnwNyvoOCnQSY8dVIoB5FJuPwzC7ekhEgFKgCwUXotfHIpRTUCVkrvuSAeAi5a KhwEAgAslvQ= =ub5W -----END PGP SIGNATURE-----