ShellShock Vulnerable products

Similar Messages

• Shellshock Vulnerability

  Are any of the Adobe Creative Cloud services vulnerable to the Bash / Shellshock bug?

  The Cisco PSIRT is investigating the impact of this vulnerability on Cisco products and will disclose any vulnerabilities according to our security policy, which is available at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html .
  An INTERIM Cisco Security Advisory was published on September 25th, 2014 and is available at the following URL:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  The Cisco PSIRT will update this Cisco Security Advisory as more information becomes available.

• CSCur00511 Shellshock Vulnerable ACS Versions

  What is the status of the 4.x ACS versions?  Only a few 5.x versions were listed as vulnerable in the bug report.  But the bash vulnerability seems to have been with us for a very long time.  If 4.x isn't vulnerable, was this because ACS didn't use a version of unix with bash back then?  Or is 4.x just unevaluated because it's beyond end of support?
   

  Hello,
  I have tested the vulnerability and confirmed that it affects ACS 5.2.
  ACS 5.3 probably runs the same BASH version, so the it is most likely vulnerable.
  At this point, I would recommend to upgrade to any of the following versions:
  ACS 5.4 patch 7
  ACS 5.5 patch 6
  ACS 5.6 patch 1
  HTH.

• Community Discussion on CSCuq98748- Bash Vulnerability

  Hi, Is Nexus 7K and 5K are open to Shellshock vulnerable?
  can you please confirm

     Yes they are vulnerable if you are using a certain version of code . The 5k's have 3 different versions that are vulnerABLE and the 7k's have one version  6.2.6 which is vulnerable.
  5K info
  Last Modified:
  Sep 29,2014
  Status:
  Open
  Severity:
  2 Severe
  Product:
  Cisco Nexus 5000 Series Switches
  Support Cases:
  0
  Known Affected Releases:
  (3)
  5.2(1)N1(8a)
  6.0(2)N2(5)
  7.0(3)N1(0.125)
  Known Fixed Releases:
  (0)
  Download software for  Cisco Nexus 5000 Series Switches
  Support Cases:
  (0)
  Support case links are not customer visible
  -->
  Related Bugs
  Bug(s)
  -->
  Community Discussion on CSCur05017 - Cisco Support Community

• Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed

  Dear All,
                We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.
  According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265. 
  Do I need to take any action for my CSM ?
  Thanks & Regards
  Ahmed...

  Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).
  I would find it very odd they didn't fix it considering it was released just yesterday.

• SNMP Vulnerability

  Reference Oracle Security Alert #30 Dated: 5 March , 2002. The security alert states that "Oracle has fixed the potential vulnerability identified above in patch/bug fix number 2224724. Patches will be available only for supported releases of EM and Oracle Database on all platforms that require a patch."
  Oracle 8.1x is identified as a vulnerable product. Is there a patch available for Oracle 8.16 running under Windows NT Server?

  Anyone know why I'd be getting this message when I try
  to install patch 106787-17 (snmp vulnerability)?
  Checking installed patches...
  One or more patch packages included in
  106787-17 are not installed on this system.
  I did a pkginfo -il on all the packages in the
  directory and they are (4 of them) installed.I had the same problems when I tried to install the patch on our E250's running 2.6 and 2.7,
  Solaris 8 was no problem. I cehcked (like you did) that I had indeed all the packages installed.
  I was however in the lucky situation that I could just disable SNMP as it was not doing anything useful...
  I think if you look in the patch that you could perhaps just replace the files manually and then restart the service. (I guess it's a good idea to try on only one host first;)
  Good luck,
  Thomas

• Shellshock bug

  Is no one curious about whether Apple is working on this?

  If the issue concerns an older vintage obsolete Mac OS X and a former security
  issue, bypassed through upgrade and updates over many years, I'd guess No.
  However there is a new issue that re-uses an old name bug... of different nature.
  I see this page, but wonder about its validity: (consumes resources to view)
  http://www.imore.com/about-bash-shellshock-vulnerability-and-what-it-means-os-x
  A new installation on a wiped hard drive would be a way to remove it from Mac.
  Please define the system and hardware this issue is confined to; if you have it.
  •What does the Shellshock bug affect?
  http://www.thesafemac.com/?s=shellshock&submit=Search
  http://www.thesafemac.com/what-does-the-shellshock-bug-affect/#more-1688
  While I have Leopard on a few machines, I try to not install software from odd
  places that are suspect. See if TheSafeMac has anything about it; email the
  author of the site and ask him. http://www.thesafemac.com/tech-guides/
  Good luck & happy computing!
  edited

• Shell shock - Bash still is not updated

  I purchased my Mac earlier this year (2014.7) and it was originally installed with OS X 10.9
  I have currently formatted my Mac 5 times since I have purchased it due to issues with Bash, Java, Safari, the App store.
  I believe I was victim to Shell shock as my Bash responds to the first vulnerability (First Update dated Sept 26, 2014, Bash version 3.2.53)
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  with a vulnerable output.
  this is a test
  I have downloaded the BashUpdateMavericks.pkg which NIST points to and it comes up with an error. I have tried installing the parch on both Mavericks and Yosemite and neither result in a successful instalment.
  Can anyone give any insight on what I should do to patch up bash?

  Apple's article about the BASH issue is here About OS X bash Update 1.0 - Apple Support
  While this vulnerability is generically described as the shellshock aka. BASH issue, there actually several permutations of it. Some fixes only addressed some of those variations. As you will see Apple's article says they address two listed vulnerabilities but actually (as I read it) includes three different fixes.
  The following article https://shellshocker.net seems to list six variations plus the original issue including the two Apple list.
  On that basis one could argue Apple's fix does not address all the possible variations. However based on Apple's fix the result "this is a test" indicates the patch is correctly installed. Based on the shellshocker test all seven out of seven variations are fixed by Apple if you have the Apple patch installed.
  This is the result I get on Mavericks 10.9.5 with Apple's patch applied.
  CVE-2014-6271 (original shellshock): not vulnerable
  CVE-2014-6277 (segfault): not vulnerable
  CVE-2014-6278 (Florian's patch): not vulnerable
  CVE-2014-7169 (taviso bug): not vulnerable
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
  With an unpatched copy of Mavericks I get the first four as vulnerable and the last three as not vulnerable suggesting Apple indeed only had to add three fixes. (The last six issues are variations of the first one.)
  CVE-2014-6271 (original shellshock): VULNERABLE
  bash: line 17: 54477 Segmentation fault: 11  shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2> /dev/null
  CVE-2014-6277 (segfault): VULNERABLE
  CVE-2014-6278 (Florian's patch): VULNERABLE
  CVE-2014-7169 (taviso bug): VULNERABLE
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

• Is Cisco 2901 router suffering from the heartbleed problem?

  I am not quite familiar with networking product. So may be this is a stupid question.
  We have recently bought a Cisco 2901 router.
  http://www.cisco.com/c/en/us/products/routers/2901-integrated-services-router-isr/index.html
  We checked the cisco heartbleed info page.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  But Cisco 2901 is not listed neither in "Vulnerable products" or "Products Confirmed Not Vulnerable".
  So, is Cisco 2901 vulnerable or not?
  Or does it depend on the firmware version? How to check?

  Just to add to the above. It actually say's that IOS is NOT affected.
  The following Cisco products have been analyzed and are not affected by this vulnerability:
  Cisco 1000 Series Connected Grid Routers
  Cisco 200 Series Smart Switches
  Cisco 300 Series Managed Switches
  Cisco 500 Series Stackable Managed Switche
  <<<<<<<<SNIPPED>>>>>>>>>
  Cisco Identity Service Engine (ISE)
  Cisco Insight Reporter
  Cisco Integrated Management Controller (IMC)
  Cisco Intelligent Automation for Cloud
  Cisco IOS XR
  Cisco IOS
  Cisco IP Communicator
  Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

• Apple:  Please fix the "Other" problem with memory space

  It took me 5 tries last night to get TomTom Installed cleanly on the iPhone. Each of the 4 times I tried - I kept getting gigabytes of memory in the "Other" category. The only way to get rid of the "other" memory is to restore the iphone - a 20 minute process in itself.
  While syncing mostly anything to an iphone or ipod - if you make a change in the middle of a longer sync (for a large file) and push the sync button again - the sync starts over and the large file that it was working on becomes orphaned and part of the "Other" memory. Cancelling Syncs also result in this large portion of "Other" memory being taken up by whatever the sync was working on at the time of the cancellation.

  Ted C wrote:
  It took me 5 tries last night to get TomTom Installed cleanly on the iPhone. Each of the 4 times I tried - I kept getting gigabytes of memory in the "Other" category.
  After it happened the first and second time, with the same results, you really did the same thing two more times? Yikes.
  Ever hear of the term "Idiot proof?"
  Leaving aside obvious directions that could be taken...it may be that 'idiot proof' is not the goal here. Say you have a problem like this, and don't know the solution. Maybe you come here, so some devious helper like me can pad his post counts by answering your question (regardless of the fact that the number of posts means absolutely nothing, and I volunteer my time here in any case). But, maybe you go to the Genius Bar for some 'free' help. See that shiny new iPhone 3GS? That slick looking new MacBook Pro? Maybe you suddenly remember you were thinking of a new car charging cable or BT headset for your phone. Bam. A sale is made. All because the valued customer needed help with an idiot-vulnerable product. Just food for thought. <sarcasm>And one more post to add to my post count. Whoopee. I'm going to go celebrate now.</sarcasm>
  Seriously, though, Apple generally does a good job of making user-friendly products. The iPod will be discussed in marketing classes for the next several decades as the poster child for that approach to product development.

• IMac is vulnerable to Shellshock

  Hi,
  My iMac has is vulnerable to Shellshock.  See test and results below.  Please advise.
  Test:
  Is my machine vulnerable?
  Shellshocker.net provides two tests, one for each vulnerability, (CVE-2014-6271) and (CVE-2014-7169). On a Mac, open the Terminal program and type:
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  If you see "vulnerable" echoed in the response, your version of Bash is affected. Then type:
  env X='() { (a)=>\' bash -c "echo date"; cat echo
  If you see today's date (alongside any errors), your version of Bash is vulnerable.
  Results:
  Last login: Sun Sep 28 11:30:39 on console
  Daryls-iMac-2:~ darylkennedy$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test
  Daryls-iMac-2:~ darylkennedy$
  Daryls-iMac-2:~ darylkennedy$ env X='() { (a)=>\' bash -c "echo date"; cat echo
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  Sun Sep 28 11:36:27 EDT 2014
  Daryls-iMac-2:~ darylkennedy$

  d-nc wrote:
  Hi,
  My iMac has is vulnerable to Shellshock.  See test and results below.  Please advise.
  Don't run a web server and don't allow remote access. But, I imagine that is true already.
  Unless you are using an Airport Extreme, your router is likely the biggest vulnerability. The others are generally configured through a web server.
  See the other posts Esquared linked.

• Is ESX v3.0 / 3.5 vulnerable to Shellshock?

  Greetings,
  Is ESX v3.0 / 3.5 vulnerable to Shellshock? - I have searched all over and cannot find this answer. I tried finding out the linux shell version as well, but did not locate that. I thought Google would answer this in 2 minutes
  Any help is appreciated.
  Thanks,
  Rick

  It should be as ESX 4 is vulnerable as well, with the difference being there is a patch available for ESX 4. I think the recommendation would be to upgrade to atleast ver 4 and apply the patch.
  Security advisory located at
  VMSA-2014-0010.4 | United States
  Regards
  Girish

• Cisco Security Advisory: OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

  Hello Experts,
  I need to rule out that we have affected openSSL version 1.0.1 running on our devices. I need to know what is the version of openSSL that is current on the following platforms:
  Cisco PIX
  Cisco FWSM
  Cisco ISR
  Cisco VPN Concentrator
  I know ASA runs 0.9.8f and I know that PIX and Concentrator are very old, and they might run an older version, however for a security assessment I need to rule those out too.
  Does anyone know what is the version for these platforms?
  Thanks in advance.

  The definitive source is and will continue to be the Cisco Security Advisory. It has already been updated several times today. Please keep checking back to it at the following URL:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  That said, the Pix and VPN Concentrator development and code release ended prior to the release of openssl with the vulnerability so I would hazard an educated guess that you won't have any problems with respect to this particular vulnerability. THAT said, if you're concerned about security vulnerabilities why are you running products with associated code that has not had other documented bugs and vulnerabilities patched for at least several years?
  The ISR G2 will almost certainly depend on the IOS level and whether you are using any of the ssl-related features.

• Are BlackBerry products affected by Samba vulnerability, CVE-2015-0240?

  Samba versions 3.5.0 to 4.2.0rc4 are now known to have a remote code execution vulnerability, CVE-2015-0240. [1] Are BlackBerry products affected?
  [1] https://www.samba.org/samba/security/CVE-2015-0240

  We have updated the release notes to indicate following-
  All versions prior to the following releases are shipping with the vulnerable code. This also includes any train which has already reached end of software maintenance (eg- 3.8.x) 
  15.5(1)S/XE3.14.1S
  15.4(3)S2/XE3.13.3S
  15.4(2)S1/XE3.12.3S
  15.4(1)S3/XE3.11.4S
  15.3(3)S4/XE3.10.6S
  15.2(4)S6/XE3.7.7S
  15.1(3)S7/XE3.4.7S
  Regards,
  Vishnu Asok

• The GHOST Vulnerability VMware Products

  Good morning,
  I have been asked to verify if the recently released Ghost Vulnerability effects any of the VMware products that we have in house. Here are the products that we have:
  ESXi 5.0 - 5.5
  vCenter Operations Manager 5.8 (SUSE Linux Enterprise 11)
  vCenter Log Insight (SUSE Linux Enterprise 11)
  vCloud Automation Center
  VMware Postgres Database Appliance (SUSE Linux Enterprise 11)
  vCenter Orchestrator Appliance (SUSE Linux Enterprise 11)
  vSphere Management Assistant (vMA) (SUSE Linux Enterprise 11)
  Does anyone know if these products are affected? If they are, does VMware have a patch in place to remediate the vulnerability?
  Thanks for your help.
  Tim

  Keep watch on :VMware Security Advisories (VMSAs) | United States
  Good read on the same :Not So Spooky: Linux &quot;Ghost&quot; Vulnerability
  oss-security - Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow