Twenty Year Anniversary

CA Technologies GNU Bash Shellshock

CA Technologies GNU Bash Shellshock
Posted Oct 6, 2014
Authored by Ken Williams | Site www3.ca.com

CA Technologies is investigating multiple GNU Bash vulnerabilities, referred to as the "Shellshock" vulnerabilities, which were publicly disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 have been assigned to these vulnerabilities. These vulnerabilities could allow a local or remote attacker to utilize specially crafted input to execute arbitrary commands or code.

tags | advisory, remote, arbitrary, local, vulnerability, bash
advisories | CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
MD5 | 4023510a267f233dc5466a8b9b0dc489

CA Technologies GNU Bash Shellshock

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----

CA20141001-01: Security Notice for Bash Shellshock Vulnerability


Issued: October 01, 2014
Updated: October 03, 2014


CA Technologies is investigating multiple GNU Bash vulnerabilities,
referred to as the "Shellshock" vulnerabilities, which were publicly
disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278 have been assigned to these vulnerabilities. These
vulnerabilities could allow a local or remote attacker to utilize
specially crafted input to execute arbitrary commands or code.

The CA Technologies Enterprise Information Security team has led a
global effort to identify and remediate systems and products discovered
with these vulnerabilities. We continue to patch our systems as fixes
become available, and we are providing fixes for affected CA
Technologies products.

CA Technologies continues to aggressively scan our environments
(including servers, networks, external facing applications, and SaaS
environments) to proactively monitor, identify, and remediate any
vulnerability when necessary.


Risk Rating

High


Platform

AIX
Android (not vulnerable, unless rooted)
Apple iOS (not vulnerable unless jailbroken)
Linux
Mac OS X
Solaris
Windows (not vulnerable unless Cygwin or similar ported Linux tools
with Bash shell are installed)
Other UNIX/BSD based systems if Bash is installed
Any other OS or JeOS that utilizes Bash


Affected Products

The following products have been identified as potentially vulnerable,
and we have made fixes available for all of these products.

CA API Management (Linux appliance only)

CA Application Performance Management (TIM is the only affected APM
component)

CA Application Performance Management Cloud Monitor

CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM)

CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management
Portal)

CA User Activity Reporting Module (Enterprise Log Manager)

Note: This security notice will be updated if other CA Technologies
products are determined to be vulnerable.

In most cases, the Bash vulnerabilities will need to be patched by OS
vendors. Exceptions may include CA Technologies appliances, and
software products that include Linux, UNIX or Mac OS X based operating
systems (that include Bash).


Affected Components

CentOS
Cygwin
GNU Bash
Red Hat Enterprise Linux
SUSE Linux


Non-Affected Products

IMPORTANT NOTE: This listing includes only a small subset of the
unaffected CA Technologies products. We're including unaffected
products that customers have already inquired about. While the
following CA Technologies products are not directly affected by the
Bash vulnerabilities, the underlying operating systems that CA
Technologies software is installed on may be vulnerable. We strongly
encourage our customers to follow the recommendations provided by their
vendors for all operating systems they utilize.

All CA SaaS / On Demand products were either not vulnerable or have
already been patched.

CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does
not execute CGI scripts, or spawn or execute shell commands from within
the app. AHS infrastructure already patched.

CA Asset Portfolio Management

CA AuthMinder (Arcot WebFort)

CA AuthMinder for Business Users

CA AuthMinder for Consumers

CA AutoSys products - We use the bash shell that comes with the
operating system and the customer is responsible for patching their OS.
Additionally, the agents themselves do not distribute any scripts that
use bash.

CA Clarity On Demand

CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or
use it, but because we are deployed on RHEL, customers may be
indirectly affected. Customers using RHEL should apply patches provided
by Red Hat.

CA Console Management for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.

CA ControlMinder

CA DataMinder (formerly DLP) products – Software and appliance
confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH
or Web apps are used in these agents. Customers should patch bash shell
on any Linux server with DataMinder agents. DataMinder agents should
continue to function normally.

CA Digital Payments SaaS (previously patched)

CA Directory

CA eCommerce SaaS / On Demand (previously patched)

CA Endevor Software Change Manager

CA Federation (formerly SiteMinder Federation)

CA GovernanceMinder

CA IdentityMinder

CA Infrastructure Management

CA JCLCheck

CA Job Management for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.

CA NetQoS GigaStor Observer Expert

CA Network Flow Analysis

CA Performance Management for OpenVMS - Our OpenVMS products do not
bundle bash, and they do not supply bash scripts; we use nothing but
the native DCL CLI.

CA RiskMinder

CA Service Desk Manager

CA Service Operations Insight (SOI)

CA SiteMinder

CA SOLVE:Access

CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes
from your underlying operating system vendor.

CA Strong Authentication

CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.

CA Top Secret

CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do
not bundle bash, and they do not supply bash scripts; we use nothing
but the native DCL CLI.

CA Virtual Assurance for Infrastructure Managers (VAIM)


Solution

CA Technologies has issued the following fixes to address the
vulnerabilities.

CA API Management:
Patches for Linux appliance are available through CA Support to
customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0,
7.1, 8.0, 8.1, 8.1.1, 8.1.02).

CA Application Performance Management:
KB article for APM TIM has been published. APM TIM is the only part of
APM that was affected. Refer to TEC618037.

CA Application Performance Management Cloud Monitor:
New images are available for subscribers. Download the latest OPMS
version 8.2.1.5. For assistance, contact CA Support.

CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM):
Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do
not use Bash at all for the CEM operating system that we have shipped
in the past. This means that customers who patch the OS will not impact
the ability of the CEM TIMsoft from operating. However prior to version
9.6, the TIM installation script does use the bash shell. See new KB
article TEC618037 for additional information.

CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal):
Fixes for all Bash vulnerabilities and a security bulletin are available
on the Layer 7 Support website.

CA User Activity Reporting Module (Enterprise Log Manager):
All 12.5 and 12.6 GA versions are potentially affected. Patches
provided on 2014-09-30. To get the patch, use the OS update
functionality to get the latest R12.6 SP1 subscription update. Note
that you can update R12.5 SPx with the R12.6 SP1 OS update. For
assistance, contact CA Support.


Workaround

None

To help mitigate the risk, we do strongly encourage all customers to
follow patch management best practices, and in particular for operating
systems affected by the Bash Shellshock vulnerabilities.


References

CVE-2014-6271 - Bash environment variable command injection
CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271
CVE-2014-7186 - Bash parser redir_stack memory corruption
CVE-2014-7187 - Bash nested flow control constructs off-by-one
CVE-2014-6277 - Bash untrusted pointer use uninitialized memory
CVE-2014-6278 - Bash environment variable command injection

CA20141001-01: Security Notice for Bash Shellshock Vulnerability
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg


Change History

v1.0: 2014-10-01, Initial Release
v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM,
Clarity OD, All SaaS/OD products to list of Non-Affected Products.
v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated
UARM solution info.


If additional information is required, please contact CA Technologies
Support at https://support.ca.com.

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln@ca.com.
PGP key:
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg


Regards,
Ken Williams
Director, Product Vulnerability Response Team
CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com
Ken.Williams@ca.com | vuln@ca.com


Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsBVAwUBVDK+PZI1FvIeMomJAQFl/Af/TqrSE/h4r3gs9PwrWKdt21PCRI3za9Lx
M5ZyTdVDIQ9ybgPkLqsovNRPgVqd7zwDHsx0rzvF5Y82uO+vQ63BuEV2GnczAax/
EiAW4WVxUgWG+lAowGV55Of8ruv/gOiAWTjFhkqpsyVg96ZMw2HLG62IwZL1j0qa
oLCu0y3VrGvqH0g2hi75QwHAjNCdlEsD4onUqTCc9cRTdLwFCZrUQ8KTrqIL7LK5
Uo5T9C1UeAyNTo3KiJ/zw3BCOTkpl99dmg3NW0onU/1r1CXdlyS7opLB+GJ+xGwP
xRQdUsOIhzfRzx7bsao2D43IhDnzJBBFJHdeMPo18WBTfJ7aUgBwGQ==
=B62b
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close