Frequently Asked Questions and Responses related to CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-71876 regarding bash vulnerability aka shellshock.
[9/24/14]
[updated 9/26/14]
What is the issue?
A security researcher has recently discovered a critical vulnerability in bash that allows remote code execution on a vulnerable system. This could affect a significant number of systems from web servers, home routers, OS X Macs, servers, PC’s, many embedded devices plus anything else that relies on bash.
For more details refer to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Is Syncplicity impacted by this issue?
While some Syncplicity servers run a version of Linux which included the vulnerable bash version, the flaw is not exploitable in the Syncplicity cloud environment. Syncplicity maintains a regular patching schedule for all of our systems. As additional measure, Syncplicity has patched our servers which included the vulnerable bash version.
What components of Syncplicity are affected?
The issue impacts the following Syncplicity components:
- EMC Syncplicity Enterprise Edition On-Premise Storage Connector
What steps do customers need to take to address the vulnerability?
There is no action needed by EMC Syncplicity Personal Edition, Business Edition, and Enterprise Edition cloud storage customers to remediate this vulnerability.
EMC Syncplicity Enterprise Edition on-premise administrators are advised to patch their on-premise Storage Connectors. EMC recommends the following for each Storage Connector Node:
- SSH into the Storage Connector node
- Issue the command “rpm -qa | grep bash” to view the current version of bash.
- Issue the command "sudo yum clean all && sudo yum update bash " to install the patched version of bash.
- Issue the command “rpm -qa | grep bash” to confirm the updated version of bash was installed.
- Please reboot the Storage Connector server after installing the patch.
*Note: The security community is aware that the patch for CVE-2014-6271 is incomplete. A new CentOS patch is pending for CVE-2014-7169. You are advised to run the pending patch when it becomes available as well.
[Updated 9/26/14] Patches are now also available for CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187
For additional details on the CentOS patch see:
https://www.centosblog.com/criticical-bash-vulnerability-discovered-update-bash-centos-linux-server-now/
http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html
EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.