Security Vulnerability : GNU Bash Remote Code Execution (aka ShellShock)
This document (7015702) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 SP1 LTSS
SUSE Linux Enterprise Server 10 SP4 LTSS
SUSE Linux Enterprise Server 10 SP3 LTSS
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
SLES Expanded Support platform release 6.5
SLES Expanded Support platform release 5.10
Situation
Resolution
1. Updating your entire system with the latest system updates:
To make sure that you have the patches relative to these issues, update the complete system to the latest patch level (preferred option) by running the following commands from a terminal, after verifying that you have your patch channels configured:
- zypper ref -s
- zypper up
SUSE recommends that you always apply updates and consider running the latest version.
You can verify your current version by typing at a command prompt:
cat /etc/*release
For more information on how to upgrade can be found in TID 7012368.
2. Apply only the latest bash patches
If you prefer to update only the bash patches, use the following commands:
- zypper ref -s
- zypper up bash
3. Updating an Expanded Support Platform
In case of SLES Expanded Support platform:
- yum update
4. Applying CVE related fixes if you don't have LTSS maintenance:
Due to the nature of this issue, it was decided that patches would be made available to active subscription customers who don't have an LTSS agreement and are on SLES10SPx and SLES11SP1/SP2. Some patches have already been released on (details below): https://download.suse.com/patch/finder/
If you can not find the downloads for your OS version please contact Customer Support.
Note: On Patchfinder you need to select the LTSS equivalent of your product. For example if you are on SLES 10 SP3, you will need to search under SLES 10 SP3 LTSS to find the patch. Your current SLES entitlement will allow access to these files.
All downloads are available HERE.
Note:
Access to LTSS repositories requires additional subscriptions not covered by general maintenance.
Refer to TID 7011670 for further help on how to add LTSS repositories once a subscription as been acquired
If you would like to know how to purchase LTSS should you need to remain on an old version, you can contact sales. Please find information on the LTSS Program at https://www.suse.com/support/programs/long-term-service-pack-support.html
Cause
Status
Additional Information
Further information regarding these security issues can be found here:
- https://www.suse.com/security/cve/CVE-2014-6271
- https://www.suse.com/security/cve/CVE-2014-6277
- https://www.suse.com/security/cve/CVE-2014-6278
- https://www.suse.com/security/cve/CVE-2014-7169
- https://www.suse.com/security/cve/CVE-2014-7186
- https://www.suse.com/security/cve/CVE-2014-7187
Please note that the exploit test of CVE-2014-6277 mentioned on "shellshocker.net" is NOT valid for SLES systems that have been patched. The segmentation fault is certainly not nice, but note that the function was defined in the shell itself, not passed via an environment variable. Bugs in the evaluation code are not mitigated by the hardening patch, but they no longer have the potential to be abused.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7015702
- Creation Date: 26-Sep-2014
- Modified Date:18-Oct-2022
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Software Development Kit
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com