Shell shocked by binary explanations

On September 24, 2014 some new exploits to gain unauthorized access to Unix based systems that have a bash shell were revealed.   Known collectively as shellshock it has caused tremendous consternation and activity in the IT industry.

What has proven interesting is the way each major vendor has chosen to respond to this issue. An enormous number of products, whether software, hardware or appliance, are affected.  You could almost safely assume that if a product can be accessed with a Unix like shell, then it is quite likely going to need patching, once the relevant vendor has released a fix.

But how can you know?

The best way is clearly if the vendor in question has released a statement and this is where things get interesting.    Some vendors have taken the attitude that when they have a fix, they will admit they have the vulnerability.

Ideally each vendor should post a list of:

  • Products that are not vulnerable
  • Products that are vulnerable but a fix is available
  • Products that are vulnerable and no fix is available (yet)
  • Products that may be vulnerable but testing is still in progress

This IBM website here happily lists unaffected products, but gives no guidance as to affected products.  You can see a screen capture below of the start of the unaffected product list.

2014-10-04_19-37-38

The DS8000 has a page here detailing available fixes, but its stable mate the Storwize V7000  (and V3700 and V5000 and the SVC) are also almost certainly affected, but not a peep on the internet from IBM about them.    I presume because a fix is being written but is not yet available

Oracle have a great page here which has four sections with titles like:

  • 1.0 Oracle products that are likely vulnerable to CVE-2014-7169 and have fixes currently available
  • 2.0 Oracle products that are likely vulnerable to CVE-2014-7169 but for which no fixes are yet available
  • 3.0 Products That Do Not Include Bash
  • 4.0 Products under investigation for use of Bash

Cisco have a great page here with a very similar set of information with sections like:

  • Affected Products
  • Vulnerable Products
  • Products Confirmed Not Vulnerable

EMC have a page here but as usual, EMC make it hard for us common people by putting it behind an authentication wall.

Advertisements

About Anthony Vandewerdt

I am an IT Professional who lives and works in Melbourne Australia. This blog is totally my own work. It does not represent the views of any corporation. Constructive and useful comments are very very welcome.
This entry was posted in advice, Uncategorized and tagged , . Bookmark the permalink.

One Response to Shell shocked by binary explanations

  1. Pingback: Shellshock and IBM SVC and Storwize products | Aussie Storage Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s