Late September a vulnerability in the bash Shell has been published. The vulnerability also known as shellshock, was classified as extremely critical. Anyway, in the meantime security patch has been released for the different operating systems and bash implementations. A bugfix is also available for Oracle Enterprise Linux, which is used as operating system of the two Oracle software appliances Oracle Audit Vault and Database Firewall and Oracle Key Vault. Oracle has published two My Oracle Support Notes which describe how the patch must be installed on the appliance software. The installation is quite straightforward. Get the patch from the Oracle’s public yum repository and install it on the appliance. 🙂 But be aware, that the two appliance are still runing Oracle Enterprise Linux 5.
Steps to copy, install and verify the bash shell bugfix:
[support@melete ~]$ su -
Password:
[root@melete ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[root@melete ~]# rpm -Uvh /tmp/bash-3.2-33.el5_11.4.x86_64.rpm
warning: /tmp/bash-3.2-33.el5_11.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing... ########################################### [100%]
1:bash ########################################### [100%]
[root@melete ~]# rpm -qa | grep -i bash
bash-3.2-33.el5_11.4
[root@melete ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
References
Some links related to the bash shellshock vulnerability.
- CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for Oracle Key Vault [1931880.1]
- CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for Oracle Audit Vault and Database Firewall [1931021.1]
- Oracle Security Alert for CVE-2014-7169
- Critical Patch Updates, Security Alerts and Third Party Bulletin
- Oracle Public Yum Server
- Vulnerability Summary for CVE-2014-6271
- Vulnerability Summary for CVE-2014-7169
- Wikipedia Shellshock