Is this product have shell shock (CVE-2014-6271) vulnerability

There is world wide shell shock (CVE-2014-6271) vulnerability. Is there any impact on Firefox versions ?If yes, what are the versions effected this ? And what are the plans to deliver fixes for this vulnerabilities from Firefox ?

Correct, in response to the escalation tag, I confirmed with the security team that this has nothing to do with Firefox.
It was warned that the bash shellshock was more of a worry. However there [cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568] and [https://www.mozilla.org/security/announce/2014/mfsa2014-73.html]

Similar Messages

  • Bash CVE-2014-6271 Vulnerability

    Excuse me if this was already posted. I searched title's only for bash and 6271 and didn't see any results.
    Cut and paste from CVE-2014-6271 Bash vulnerability allows remote execution arbitrary code:
    This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
    Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).
    I’m currently patching servers for this. The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!
    To test if your version of Bash is vulnerable run the following command:
    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    If that command returns the following:
    vulnerable this is a test
    …then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
    Arch Linux CVE-2014-6271 patch:
    pacman -Syu
    Last edited by hydn (2014-09-28 20:57:41)

    On a related note.  I post this here as it might be of interest to some members....
    I just checked my DD-WRT based router for this vulnerability.   It comes stock with Busybox and does not seem to be vulnerable, but...   I keep bash on a separate partition which gets mounted on /opt.  That bash is vulnerable.  Until the DD-WRT project catches up, I suggest anyone using that router firmware consider disabling Bash for the time being and stick with BB.
    Also, as another aside, ArchArm has this fix in place now and is safely running on my Raspberry Pi.   
    I did kill the ssh service on the Windows Box that let me into bash via Cygwin.  Cygwin Bash is vulnerable as of when I began this post.
    Last edited by ewaller (2014-09-25 18:26:18)

  • Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

    Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

    The official communication is now posted to
        https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169

  • [CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?

    http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
    Discussion?

    Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
    Please refer to the expanded "Affected Products".
    The following Cisco products are currently under investigation:
    Cable Modems
    Cisco CWMS
    Network Application, Service, and Acceleration
    Cisco ACE GSS 4400 Series Global Site Selector
    Cisco ASA
    Cisco GSS 4492R Global Site Selector
    Network and Content Security Devices
    Cisco IronPort Encryption Appliance
    Cisco Ironport WSA
    Routing and Switching - Enterprise and Service Provider
    Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
    Cisco ISM
    Cisco NCS6000
    Voice and Unified Communications Devices
    Cisco Finesse
    Cisco MediaSense
    Cisco SocialMiner
    Cisco Unified Contact Center Express (UCCX)
    Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.

  • Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8

    Greetings, all...
    I see that Novell has a handy security note out regarding CVE-2014-6271:
    http://support.novell.com/security/c...2014-6271.html
    as it pertains to SUSE and SLE, as well as one for CVE-2014-7169:
    http://support.novell.com/security/c...2014-7169.html
    Testing in a bash shell on one of my NetWare boxes, I've been pleasantly
    surprised, though remain unconvinced that the older bash port is entirely
    free of vulnerability, here.
    Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
    I don't believe that anyone is using mod_cgi or mod_cgid.
    (BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
    32 and 64-bit binary rpms on my FTP server:
    ftp.2rosenthals.com/pub/CentOS/4.8 .)
    Just curious as to what the consensus is regarding NetWare with this thing.
    TIA
    Lewis
    Lewis G Rosenthal, CNA, CLP, CLE, CWTS
    Rosenthal & Rosenthal, LLC www.2rosenthals.com
    Need a managed Wi-Fi hotspot? www.hautspot.com
    visit my IT blog www.2rosenthals.net/wordpress

    The concern with the bash shell is that services MAY be setup to run as
    users which use those shells, and therefore be able to have things
    injected into those shells. Nothing on NetWare uses bash by default,
    because NetWare is not anything like Linux/Unix in its use of shells.
    Sure, you can load bash for fun and profit on NetWare, but unless you
    explicitly request it the bash.nlm file is never used. On NetWare I do
    not think it is even possible to have any normal non-Bash environment
    variable somehow be exported/inherited into a bash shell, though I've
    never tried.
    Good luck.
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • NX-OS ( n7000-s1-dk9.5.1.3.bin ) BASH VULNERABILITY - CVE-2014-6271 and CVE-2014-7169

    Hi ,
    Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS  - n7000-s1-dk9.5.1.3.bin
    https://tools.cisco.com/bugsearch/bug/CSCur04856
    5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
    Thanks for help in advance .

    The concern with the bash shell is that services MAY be setup to run as
    users which use those shells, and therefore be able to have things
    injected into those shells. Nothing on NetWare uses bash by default,
    because NetWare is not anything like Linux/Unix in its use of shells.
    Sure, you can load bash for fun and profit on NetWare, but unless you
    explicitly request it the bash.nlm file is never used. On NetWare I do
    not think it is even possible to have any normal non-Bash environment
    variable somehow be exported/inherited into a bash shell, though I've
    never tried.
    Good luck.
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • CVE-2014-6271 bash vulnerability

    more info on this here:
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
    http://www.reddit.com/r/sysadmin/comments/2hc5rk/cve20146271_remote_code_executi on_through_bash/
    I'm assuming Apple will release a security update for this on supported versions of the Mac OS but in the meantime, is there a fix that we can apply?   What is an easy way to patch this on older OS versions that Apple is no longer supporting?    (perhaps something short of recompiling bash)

    I had foolishly imagined that the update to "Command Line Tools (OS X 10.9)" released (I thought?) today would fix this. It does not. The referenced fixes do, although, as sjabour said, don't just run those blindly: understand what they do.
    As an aside, after patching other Unix systems I care for, I also changed all users' (and, on Linux, root's) shells to something else (I like Zsh, although that may not be right for root in all cases). On Darwin, root's shell is "/bin/sh", but, as with most Linux distributions, that's actually just bash. You absolutely can execute Zsh as sh, and have it behave as an sh-alike, so if you aren't comfortable with patching and rebuilding, but are comfortable with basic SA practice (or you just don't have XCode for whatever reason), you could replace the bash /bin/sh with a hard link to /bin/zsh instead, like this:
    % cd /bin
    % sudo ln sh sh-real
    % sudo ln -f zsh sh
    % ls -li sh* zsh
      334241 -rwxr-xr-x  2 root  wheel   530320 Oct 31  2013 sh
       11118 -r-xr-xr-x  1 root  wheel   942308 Sep 24 23:53 sh-real
    18050387 ----------  1 root  wheel  1228304 Sep 24 23:51 sh.CVE-2014-6271
      334241 -rwxr-xr-x  2 root  wheel   530320 Oct 31  2013 zsh
    % sudo su -
    # echo $SHELL
    /bin/sh
    # /bin/sh --version
    zsh 5.0.2 (x86_64-apple-darwin13.0)

  • Bash vulnerability bash CVE-2014-6271 on Cisco devices

    Hi, all,
    Anybody know whether any Cisco devices are vulnerable to  recent bash CVE-2014-6271? I am especially concerned about ASA which opens https to the public.
    Thanks,

    Have a look here: 
    http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
    and here:
    http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
    Under affected products. 

  • Bash bug  CVE-2014-6271 patch availability?

    Hi everyone, does anyone know if Oracle has released a patch for the bash bug?  CVE-2014-6271 link below.
    NVD - Detail
    I'm looking for a patch on el5uek and el6uek I'm using: 2.6.39-400.126.1.el5uek, 2.6.39-400.21.1.el6uek.x86_64
    thanks!

    Check the following:
    [root@vm110 ~]# yum -y install yum-security
    [root@vm110 ~]# yum list-security | grep bash
    This system is not registered with ULN.
    You can use up2date --register to register.
    ULN support will be disabled.
    ELSA-2014-1293 security bash-3.2-33.el5.1.x86_64
    [root@vm110 ~]# yum info-security ELSA-2014-1293
    Loaded plugins: rhnplugin, security
    This system is not registered with ULN.
    You can use up2date --register to register.
    ULN support will be disabled.
    ===============================================================================
       bash security update
    ===============================================================================
      Update ID : ELSA-2014-1293
        Release : Oracle Linux 5
           Type : security
         Status : final
         Issued : 2014-09-24
           CVEs : CVE-2014-6271
    Description : [4.1.2-15.1]
                : - Check for fishy environment
                :   Resolves: #1141645
       Solution : This update is available via the Unbreakable Linux Network (ULN)
                : and the Oracle Public Yum Server. Details on how
                : to use ULN or http://public-yum.oracle.com to
                : apply this update are available at
                : http://linux.oracle.com/applying_updates.html.
         Rights : Copyright 2014 Oracle, Inc.
       Severity : Critical
    info-security done
    [root@vm110 ~]# yum -y install bash-3.2-33.el5.1
    If you cannot see the above and do not pay for a subscription, make sure you have correct yum repository setup.
    See Oracle Public Yum Server for details.
    To install:
    [root@vm110 ~]# yum -y install bash-3.2-33.el5.1

  • CVE-2014-6271 on Exadata

    Has anyone applied this linux update to engineered systems?  I was looking to download this update from metalink but I could not find it.  Any ideas?

    If you have many clusters / racks, here's the command block using dcli:
    For Compute Nodes
    OPTIONAL: dcli -g /home/oracle/dbs_group -l root "rpm -qa| grep exadata-sun-computenode-exact"
    dcli -g /home/oracle/dbs_group -l root "rpm -e exadata-sun-computenode-exact"
    OPTIONAL: dcli -g /home/oracle/dbs_group -l root "rpm -qa| grep bash"
    dcli -g /home/oracle/dbs_group -l root "rpm -Uvh /where/you/downloaded/CVE-2014-6271/bash-3.2-33.el5_11.4.x86_64.rpm"
    OPTIONAL: dcli -g /home/oracle/dbs_group -l root "rpm -qa | grep bash”
    For Cell Nodes:
    dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l root -f /where/you/downloaded/CVE-2014-6271/bash-3.2-33.el5_11.4.x86_64.rpm -d /tmp/
    OPTIONAL: dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l "rpm -qa | grep bash”
    dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l root "rpm -Uvh --nodeps /tmp/bash-3.2-33.el5_11.4.x86_64.rpm"
    dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l root "rm /tmp/bash-3.2-33.el5_11.4.x86_64.rpm"
    OPTIONAL: dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l "rpm -qa | grep bash”
    +++++++++++++++++++++++
    Above takes care of compute and cell nodes.
    Now, the IB switches also have bash and Oracle very likely is working for a fix there.

  • CVE-2014-6271 and CVE-2014-7169 / Oracle Linux

    Hi ,
    patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
    from where i can get this patch, its not availible on support.oracle/patches !!
    Thanks,
    Thamer

    Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
    You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).

  • Bash bug  CVE-2014-6271 patch availability for OL4?

    Hi,
    Kindly advise how to download the CVE-2014-7169  CVE-2014-6271 security patches for Oracle Linux 4?
    Rgds;
    Shirley

    Exactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.

  • Is there a patch out for the bash bug (CVE 2014-6271)?

    Is there a patch out for the bash bug (CVE 2014-6271)? I saw one for Oracle Linux, so I hope there's one for Solaris as well.

    Hi,
    another approach could be to just build a custom bash package yourself using
    the available changes published here:
    https://java.net/projects/solaris-userland/sources/gate/show/components/bash
    That's the build infrastructure and source we use to build the official Solaris 11
    IPS packages.
    Regards,
    Ronald

  • Windows Server 2008 CVE-2014-8730 vulnerability

    We've received our monthly vulnerability scan results on our production servers running Windows Server 2008 R2.
    They are showing vulnerability to TSL POODLE, which is the subject of CVE-2014-8730.
    In this article on Qualys, there is mention that Windows Server 2008 is vulnerable but Microsoft have not taken any action yet:
    https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
    Microsoft - We've seen reports that some older platforms (e.g., Windows 2008) appear vulnerable, but no apparent patterns or reliable information so far.
    Is there any update on this issue as it's an exploitable vulnerability we would like to remediate.
    Thanks,
    Lyndon.

    Hi Vivian,
    The article cited is about a different issue.
    In October 2014 there was an SSL v3 POODLE vulnerability, we have resolved this issue by disabling SSL v3 (as recommended).
    The article your posted specifically references that issue (the article was published in October 2014).
    In December 2014 there was another POODLE vulnerability announced that affected the TLS protocol.
    A lot of major vendors have published patches for this issue, but Microsoft are yet do do so (as far as I know).
    Hence by original question that has not been answered yet.
    Regards,
    Lyndon.

  • Shellshock (CVE-2014-6271) bug in bash

    The bash version on OSX 10.9.x is
    bash --version
    GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
    Copyright (C) 2007 Free Software Foundation, Inc.
    Based on the following alert Bash v1.14 through 4.3 is vulnerable https://www.us-cert.gov/ncas/alerts/TA14-268A and the ArsTechnica articles
    http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-h ole-on-anything-with-nix-in-it/
    http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as -exploit-reported-in-the-wild/
    paint a very gloomy picture. Apple Software Updates have been very buggy in the recent memory, expecting a patch very soon.

    Here are a couple of posts by those much more knowledgeable than I about such things:
    John Galt
    Sep 25, 2014 2:01 PM
    Re: shellshock virus in response to johnchar
    It's not a virus. It's just the latest scare tactic promulgated by popular media outlets to ensure the uninformed among us remain uninformed. The fact you characterize it as a "virus" is proof of that, on its face.
    If you are running a web server download and install the recent patch from the GNU project archive. If and when Apple will release an update to the Bash version included with OS X is up to them.
    There are plenty of bad things that could happen to a system due to existing vulnerabilities, known or unknown. There is no reason for any more concern today than there has ever been. Bash has been included with OS X for years, perhaps since its inception.
    Similar vulnerabilities may also be discovered and exploited, now or in the future. The resulting effects, if there are any, cannot be accurately predicted.
    Until then:
    Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them.
    Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.
    Kurt Lang
    Sep 25, 2014 2:02 PM
    Re: shellshock virus in response to johnchar
    Detailed info from user fmiranda, who lists him/herself as a Red Hat Solution Architect. In short, someone who likely knows a ton about Unix/Linux.
    The truth is: yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.
    So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.

Maybe you are looking for