While blogging last week about how various vendors have responded to the Shellshock exploit, I noted that several vendors, notably Oracle and Cisco were open about products that they did not yet have a fix for. IBM meanwhile appears to be only announcing vulnerability after they have the fix. In other words, vulnerable customers are left without formal notification that they are exposed, or made aware of any workarounds, until a fix is actually available. I am left slightly annoyed by this policy.
The formal notification for the Storwize family and IBM SVC family came out here on October 11, 2014. At time of writing these are the fix levels:
IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher:
More importantly it contains this critical piece of information:
The following vulnerabilities are only exploitable by users who already have authenticated access to the system.
In other words, the best way to manage exposure is to limit the number of users who have CLI access and to use network restrictions (such as ACLs and Firewalls) to restrict network access to your devices.
So kudos to IBM for creating fixed versions, I just wish that acknowledgement and remediation advice could have been published earlier.