Any speculation around Bash "Shell shock" impact on VMware products?

Similar Messages

• Shell shock - Bash still is not updated

  I purchased my Mac earlier this year (2014.7) and it was originally installed with OS X 10.9
  I have currently formatted my Mac 5 times since I have purchased it due to issues with Bash, Java, Safari, the App store.
  I believe I was victim to Shell shock as my Bash responds to the first vulnerability (First Update dated Sept 26, 2014, Bash version 3.2.53)
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  with a vulnerable output.
  this is a test
  I have downloaded the BashUpdateMavericks.pkg which NIST points to and it comes up with an error. I have tried installing the parch on both Mavericks and Yosemite and neither result in a successful instalment.
  Can anyone give any insight on what I should do to patch up bash?

  Apple's article about the BASH issue is here About OS X bash Update 1.0 - Apple Support
  While this vulnerability is generically described as the shellshock aka. BASH issue, there actually several permutations of it. Some fixes only addressed some of those variations. As you will see Apple's article says they address two listed vulnerabilities but actually (as I read it) includes three different fixes.
  The following article https://shellshocker.net seems to list six variations plus the original issue including the two Apple list.
  On that basis one could argue Apple's fix does not address all the possible variations. However based on Apple's fix the result "this is a test" indicates the patch is correctly installed. Based on the shellshocker test all seven out of seven variations are fixed by Apple if you have the Apple patch installed.
  This is the result I get on Mavericks 10.9.5 with Apple's patch applied.
  CVE-2014-6271 (original shellshock): not vulnerable
  CVE-2014-6277 (segfault): not vulnerable
  CVE-2014-6278 (Florian's patch): not vulnerable
  CVE-2014-7169 (taviso bug): not vulnerable
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
  With an unpatched copy of Mavericks I get the first four as vulnerable and the last three as not vulnerable suggesting Apple indeed only had to add three fixes. (The last six issues are variations of the first one.)
  CVE-2014-6271 (original shellshock): VULNERABLE
  bash: line 17: 54477 Segmentation fault: 11  shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2> /dev/null
  CVE-2014-6277 (segfault): VULNERABLE
  CVE-2014-6278 (Florian's patch): VULNERABLE
  CVE-2014-7169 (taviso bug): VULNERABLE
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

• What do I need to manage shell shock or bash bug on my airport router

  What do I need to do to manage shell shock or bash bug on my airport router?

  I do have shell access to my apple router..
  When I run command to test for bash vulnerability.
  tcgen4# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  env: bash: No such file or directory
  If I just type bash.
  tcgen4# bash
  bash: not found
  So they have not complied bash into the airport routers.
  Apple routers are not running BASH.. you have nothing to worry about.
  (I have only tested  N wireless models)
  It is probably running the standard busybox shell. The env command shows the shell as SHELL=/bin/sh
  I do not have the latest version AC models.. but it is certainly not part of the earlier N wireless model airports. I would not think the change to the AC model will make any difference and it is still based on NetBSD.
  Thanks to John for sane comments.
  Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them.
  Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.
  My Mac is vulnerable.
  When I run the command..
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test
  The output shows that the Mac is allowing commands via bash.
  In order to access my computer from outside, a person would need passwords or something shared and open.. I have nothing.. and simply being behind a NAT router provides plenty of protection.. in due course when Apple releases the updates.. (I am fully up to date now).. I will apply it. Until then I suspect I will be more likely to die of heart attack than be hacked..

• Any tips on Controlling interactive bash shell on Cygwin via Java process?

  Ideally, I'd like to be able to control an interactive bash shell on Cygwin from a Java process. But for starters, I want to do 'ls > /cygdrive/c/fred.txt'. The little program to do this, below, doesn't work. It simply runs without error.
  Any ideas? And also, any tips on doing a fully interactive shell?
  --> Java program to test simple command:
  package com.treelogic_swe.real_estate_explorer.utils;
  import java.io.File;
  import java.io.InputStream;
  * Quick and dirty test of Java to Cygwin bash shell process control.
  * Thanks to [email protected]
  * re: http://groups.google.com/group/comp.lang.java.help/browse_thread/thread/914403fbdd1de127/40363d2e7cbae823?lnk=st&q=cygwin+shell+java+process+runtime&rnum=1&hl=en#40363d2e7cbae823
  public class RunSystemCommand {   
      public static void main(String args[]) throws Throwable {
       // System command to run
       String cmd = "ls > /cygdrive/c/fred.txt";
          String [] sysArgs = { };
       // Set the working directory for the OS command processor
       File workDir = new File( "c:/cygwin/bin" );
       Process bash = Runtime.getRuntime().exec( cmd, sysArgs, workDir );
       InputStream bashIn = bash.getInputStream();
       while( bashIn.read() != -1 ); // Added, as otherwise the ls hangs.
       bash.waitFor();
  }

  Ideally, I'd like to be able to control an
  interactive bash shell on Cygwin
  What do you mean by this? Do you just want to start a bash shell, and have it's input and output come from and go to your Java program?
  Please be specific about what you want, as there are a couple of interpretations for what you said. You need to understand the differences and relationships among terminals, shells, shell builtins, and executables.
  You'll want to read this:
  http://www.javaworld.com/javaworld/jw-12-2000/jw-1229-traps.html
  from a Java
  process. But for starters, I want to do 'ls >
  /cygdrive/c/fred.txt'. The little program to do
  this, below, doesn't work. It simply runs without
  error.
  , <, |, and others are specific to the shell. When you're in a terminal, and you type ls > /tmp/zzz, it's the bash shell that interprets the >. Cygwin doesn't know anything about it. ls doesn't know anything about it.So if you want to to that, the command you'd execute from Java is not ls, but bash (or some other shell). You'd then tell bash to execute the rest. I'm not sure what the command line arg is for bash to tell it the rest of the command line args are a command that bash should interpret and execute. I think it might be -c like it is for zsh. So you'd need to do something like Runtie.getRuntime().exec("bash -c 'ls > /tmp/zzz'");

• Is this product have shell shock (CVE-2014-6271) vulnerability

  There is world wide shell shock (CVE-2014-6271) vulnerability. Is there any impact on Firefox versions ?If yes, what are the versions effected this ? And what are the plans to deliver fixes for this vulnerabilities from Firefox ?

  Correct, in response to the escalation tag, I confirmed with the security team that this has nothing to do with Firefox.
  It was warned that the bash shellshock was more of a worry. However there [cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568] and [https://www.mozilla.org/security/announce/2014/mfsa2014-73.html]

• Shell shock patch

  Hi there when will the shell shock patch be available please? Also what are the precoutions I can take right now to guarantee nothing will happen to my computer please? I have mavericks

  If you are running a web server or are one of what Apple calls its "advanced UNIX users" apply the recent patch by downloading it from the GNU project archive.
  If you don't know what that is, how to obtain it, or how to apply it to your server, then you are not affected and there is nothing you need to do.
  Apple announced they are "working to quickly provide a software update for our advanced UNIX users."
  There are plenty of bad things that could happen to a system due to existing vulnerabilities, known or unknown. There is no reason for any more concern today than there has ever been. Bash has been included with OS X for years, perhaps since its inception, and the particular flaw that was just discovered may have existed for years prior to that.
  Similar vulnerabilities may also be discovered and exploited, now or in the future. The resulting effects, if there are any, cannot be accurately predicted.
  Until then:
  Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them.
  Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.

• Shell Shock Vulnerability

  sh and bash are vulnerable in Solaris 8 & 9
  Are there patches available??

  sh on any Solaris version is NOT bash. So sh is not vulnerable.
  bash might be vulnerable but normally Solaris would execute /bin/sh when performing system(),exec*(),popen() etc.
  So IMHO chance of exploiting shell shock on a normal Solaris system is slim unless the admin has installed software that explicitely calls bash.
  Paul
  PS I am not saying it cannot be vulnerable just that chance are much lower than on most linux distros.

• IO Analyzer and Shell Shock

  Do you have any assessment of, or remediation for, the vulnerability of this appliance to the various Shell Shock CVEs?

  Since I/O Analyzer doesn't rely on CGI and our scripts never use environment variables to invoke a script running with a higher privilege, ShellShock has only minimal impact to I/O Analyzer. Having said that, we will patch our base OS and release a patched version by end of this month for best security practice.
  Thanks,
  Chien-Chia

• How to invoke BASH shell and execute a command in that shell in Windows 98

  Hello, I have a problem and if somebody will help me, I will be very glad. Thank you.
  I am using BASH shell on Windows 98 OS by means of CYGWIN. And I want to invoke this BASH shell and execute a preprogrammed command in the shell (./scan fileName.txt) from a JAVA program. But so far, I am not sucessful. I can not read or write anything from / to BASH shell. It either blocks and freezes (When I use waitFor( ) ) or appears and disappears without executing scan command (When I do not use waitFor( ) ). My code is like this:
  // This method is used for compiling a file.
  // It invokes BASH shell and executes "./scan fileName.txt" command
  public void compileFileMethod () {
  try {
  Process proc = ( Runtime.getRuntime() ).exec ("C:\\MyDocuments\\CYGWIN.BAT); //I also tried to add -c ./scan fileName.txt after .BAT );
  // I also tried to write "C:\\MyDocuments\\BASH.EXE" but it did not help
  OutputStream ostr = proc.getOutputStream();
  BufferedWriter bw = new BufferedWriter ( new OutputStreamWriter (ostr) );
  InputStream istr = proc.getInputStream();
  BufferedReader br = new BufferedReader ( new InputStreamReader (istr) );
  InputStream errorStr = proc.getErrorStream();
  BufferedReader errorBr = new BufferedReader ( new InputStreamReader (errorStr) );
  bw.write("scan case40.10.txt"); /* I am trying to input the scan command to the shell,but it is not working*/
  bw.flush();
  Vector list = new Vector (1) ;
  String str;
  while ( (str = br.readLine() ) != null) {
  list.addElement(str);
  } // End of while
  Enumeration enumForList = list.elements();
  while ( enumForList.hasMoreElements() ) {
  String tempString;
  tempString = ( String ) enumForList.nextElement();
  System.out.println(tempString); // I am trying to read the outputs of the scan command but it is not reading (I can not see any output)
  I tried with and without waitFor( ), it did not work
  // wait for command to terminate
  proc.waitFor();
  // close streams
  br.close();
  bw.close();
  errorBr.close();
  } // End of try
  catch ( IOException ioe ) {
  JOptionPane.showMessageDialog (null, "Input / output error occured while compiling file ", "Error", JOptionPane.ERROR_MESSAGE);
  } // End of catch
  catch ( SecurityException se ) {
  JOptionPane.showMessageDialog (null, "Security error occured while compiling file ", "Error", JOptionPane.ERROR_MESSAGE);
  catch ( InterruptedException ie ) {
  JOptionPane.showMessageDialog (null, "Interruption error occured while compiling file ", "Error", JOptionPane.ERROR_MESSAGE);
  } // End of method compileFileMethod
  // Thank you for your helps and time.

  You cannot invoke BAT files directly, you have to invoke the program that run those files which is your Windows 98 shell. For example (under windows 2000), i would invoke "cmd.exe sricpt.bat some args", rather than "script.bar some args".
  Hope this will help you out.

• Bash shell for  sid adm and ora sid user

  I'm planning to make bash shell as the the default shell for my <sid>adm and ora<sid> user. Will there any issues? It seems harmless.
  My current setups are ECC6 on top of  AIX 5.3 and Oracle 10g
  regards,
  Marjan

  The only problem is permission of user access to that bash shell. as well as what u u want to run i mean to say if it is any haevy erport or update insert or refresh functionality then do not run at the time of haevy load.
  Thanks

• Problems customizing bash shell

  I am trying to add some customizing environment and aliases to my bash shell but cannot seem to get the .bash_profile file to be recognized when I open a xterm. I can source the file and get it loaded but would rather it be automatic. Any suggestions?
  G4, G5   Mac OS X (10.3.9)  

  I found a post in another area explaining that X11 is invoked as a non-shell start and therefore reads .bashrc and not .bash_profile. Moved my commands to that file and everything works.

• Bash shell does not recognise 'java', 'javac' commands (Linux command line)

  i' ve used javac and java compile & execute commands to build the same application on the DOS command line with Windows - no problem.
  But when I try to compile the same file on the command line under Linux Redhat (7.1) using Bash shell i get <bash: javac: command not found> and <bash: java: command not found>.
  In both cases I'm using j2sdk1.4.2 downloaded from java.sun.com for Windows & Linux respectively.
  I make sure I have both the javac and the file I want to compile in the same directory ../j2sdk1.4.2/bin for both the Windows and the Linux applications.
  Is there something I need to do to get bash to recognise javac, java etc? Is there a different setup procedure?
  Any angles on this are much appreciated ..

  Have you tried these correctly..
  Set the CLASSPATH environment variable to include whichever directories you like, eg (on bash) type:
  export CLASSPATH=$CLASSPATH:.:<your java dirs>
  To make java easier to run, put the directory in which it is installed into your path:
  export JAVA_HOME=<where you installed java>
  Then do
  export PATH=$PATH:$JAVA_HOME/bin
  verify it has worked by simply typing
  java
  You can put all of these commands into the .*rc file for your shell, so that they are executed every time you open the shell. So if you are using bash you can put them into ~/.bashrc
  Read up setting the PATH and CLASSPATH for more info.
  This shall resolve the issue .

• HT201667 I rented a movie through itunes on my ipad and wanted to watch it with friends on a digital projector, but it wouldn't allow me to do it.  Is there any way around this?

  I  rented a movie through itunes on my ipad and wanted to watch it with friends on a digital projector, but it wouldn't allow me to do it.  Is there any way around this?

  The issue was that a dialogue box came up which said that I couldn't play this movie on another device.  I tried playing the same movie on an Tv with an HDMI connection attached to an adapter to the IPad and that worked.  I wonder if the problem is that the digital projector has a VGA connection.

• PC died and in turn my main iTunes library. iPhone was synced to it. Now when I try to connect to another library it tells me the phone must be wiped clean before I can manage music with new library. Any way around that? Don't want to lose music.

  My PC died and in turn so did my main iTunes library.  My iPhone was synced to the library that is gone.  Now when I try to connect to another library, it tells me the phone must be wiped clean before I can manage music with new library.  Any way around that?  I don't want to lose the music that is on my phone.  I am looking for a way to tell the phone to "forget" the old library and let me start working with a new library. 

  It has always been very basic to always maintain a backup copy of your computer for just such an occasion.
  Use your backup copy of your computer to put everything on the new one.
  It sounds like you have failed to do this, which is not good at all.
  You will have to transfer your itunes purchases from your iphone.  Authorize your computer for your itunes account 
  About iTunes Store authorization and deauthorization
  Open itunes, plug in iphone, do NOT sync, click File>Transfer Purchases
  When you do sync you will lose your pics ( photo library - synced from your old computer), your itunes content ( music, apps, videos,etc) , your contacts and your calendars.  So do NOT sync yet.  This is why a backup copy is so important.
  Enter one unique contact and calendar entry on your computer.
  When you first sync, you should get the option to merger the data.  Choose it.
  If you want your pics, then you will need to e-mail them to yourself before you sync.  They will not be of the original quality as they are reduced when synced to iphone.
  When all is as goos as it can be, then backup your computer, and always maintain the backup.

• I am having a problem with pop pups and small windows with ads constantly opening up on my safari?? Thought that macs didn't get virus? this looks like one- any experts around? please help me fix it with your instructions? really don't know what to do...

  Hi everyone,
  I am having a problem with my Mac OS X 10.7.5 mac book air , there are constant pop pups and small windows with ads blinking constantly opening up on my safari in front of everything?? it is constantly interupting me and makes me mistakingly click on it then another new windows open behind the one im using..
  I am not too sure if thats a virus or trojan.. I always thought that macs didn't get virus? this looks like one to me… any experts around? please help me fix it with your instructions? really don't know what to do... thanks

  Those are not viruses. You have probably installed some malware:
  The Safe Mac » Adware Removal Guide
  Helpful Links Regarding Malware Protection
  An excellent link to read is Tom Reed's Mac Malware Guide.
  Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
  See these Apple articles:
            Mac OS X Snow Leopard and malware detection
            OS X Lion- Protect your Mac from malware
            OS X Mountain Lion- Protect your Mac from malware
            About file quarantine in OS X
  If you require anti-virus protection Thomas Reed recommends using Dr.Web Light from the App Store. It's free, and since it's from the App Store, it won't destabilize the system. If you prefer one of the better known commercial products, then Thomas recommends using Sophos.(Thank you to Thomas Reed for these recommendations.) If you already use Sophos, then be aware of this if you are using Mavericks: OS X Mavericks- Sophos Anti-Virus on-access scanner versions 8.0 - 9.1 may cause unexpected restarts
  From user Joe Bailey comes this equally useful advice:
  The facts are:
  1. There is no anti-malware software that can detect 100% of the malware out there.
  2. There is no anti-malware that can detect anything targeting the Mac because there
       is no Mac malware in the wild, and therefore, no "signatures" to detect.
  3. The very best way to prevent the most attacks is for you as the user to be aware that
       the most successful malware attacks rely on very sophisticated social engineering
       techniques preying on human avarice, ****, and fear.
  4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on
      your computer is intended to entice you to install their malware thinking it is a
      protection against malware.
  5. Some of the anti-malware products on the market are worse than the malware
      from which they purport to protect you.
  6. Be cautious where you go on the internet.
  7. Only download anything from sites you know are safe.
  8. Avoid links you receive in email, always be suspicious even if you get something
      you think is from a friend, but you were not expecting.
  9. If there is any question in your mind, then assume it is malware.