On September 24, 2014 some new exploits to gain unauthorized access to Unix based systems that have a bash shell were revealed. Known collectively as shellshock it has caused tremendous consternation and activity in the IT industry.
What has proven interesting is the way each major vendor has chosen to respond to this issue. An enormous number of products, whether software, hardware or appliance, are affected. You could almost safely assume that if a product can be accessed with a Unix like shell, then it is quite likely going to need patching, once the relevant vendor has released a fix.
But how can you know?
The best way is clearly if the vendor in question has released a statement and this is where things get interesting. Some vendors have taken the attitude that when they have a fix, they will admit they have the vulnerability.
Ideally each vendor should post a list of:
- Products that are not vulnerable
- Products that are vulnerable but a fix is available
- Products that are vulnerable and no fix is available (yet)
- Products that may be vulnerable but testing is still in progress
This IBM website here happily lists unaffected products, but gives no guidance as to affected products. You can see a screen capture below of the start of the unaffected product list.
The DS8000 has a page here detailing available fixes, but its stable mate the Storwize V7000 (and V3700 and V5000 and the SVC) are also almost certainly affected, but not a peep on the internet from IBM about them. I presume because a fix is being written but is not yet available
Oracle have a great page here which has four sections with titles like:
- 1.0 Oracle products that are likely vulnerable to CVE-2014-7169 and have fixes currently available
- 2.0 Oracle products that are likely vulnerable to CVE-2014-7169 but for which no fixes are yet available
- 3.0 Products That Do Not Include Bash
- 4.0 Products under investigation for use of Bash
Cisco have a great page here with a very similar set of information with sections like:
- Affected Products
- Vulnerable Products
- Products Confirmed Not Vulnerable
EMC have a page here but as usual, EMC make it hard for us common people by putting it behind an authentication wall.