BugTraq
CA20141001-01: Security Notice for Bash Shellshock Vulnerability Oct 06 2014 04:12PM
Williams, James K (Ken Williams ca com)


CA20141001-01: Security Notice for Bash Shellshock Vulnerability

Issued: October 01, 2014

Updated: October 03, 2014

CA Technologies is investigating multiple GNU Bash vulnerabilities,

referred to as the "Shellshock" vulnerabilities, which were publicly

disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271,

CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and

CVE-2014-6278 have been assigned to these vulnerabilities. These

vulnerabilities could allow a local or remote attacker to utilize

specially crafted input to execute arbitrary commands or code.

The CA Technologies Enterprise Information Security team has led a

global effort to identify and remediate systems and products discovered

with these vulnerabilities. We continue to patch our systems as fixes

become available, and we are providing fixes for affected CA

Technologies products.

CA Technologies continues to aggressively scan our environments

(including servers, networks, external facing applications, and SaaS

environments) to proactively monitor, identify, and remediate any

vulnerability when necessary.

Risk Rating

High

Platform

AIX

Android (not vulnerable, unless rooted)

Apple iOS (not vulnerable unless jailbroken)

Linux

Mac OS X

Solaris

Windows (not vulnerable unless Cygwin or similar ported Linux tools

with Bash shell are installed)

Other UNIX/BSD based systems if Bash is installed

Any other OS or JeOS that utilizes Bash

Affected Products

The following products have been identified as potentially vulnerable,

and we have made fixes available for all of these products.

CA API Management (Linux appliance only)

CA Application Performance Management (TIM is the only affected APM

component)

CA Application Performance Management Cloud Monitor

CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM)

CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management

Portal)

CA User Activity Reporting Module (Enterprise Log Manager)

Note: This security notice will be updated if other CA Technologies

products are determined to be vulnerable.

In most cases, the Bash vulnerabilities will need to be patched by OS

vendors. Exceptions may include CA Technologies appliances, and

software products that include Linux, UNIX or Mac OS X based operating

systems (that include Bash).

Affected Components

CentOS

Cygwin

GNU Bash

Red Hat Enterprise Linux

SUSE Linux

Non-Affected Products

IMPORTANT NOTE: This listing includes only a small subset of the

unaffected CA Technologies products. We're including unaffected

products that customers have already inquired about. While the

following CA Technologies products are not directly affected by the

Bash vulnerabilities, the underlying operating systems that CA

Technologies software is installed on may be vulnerable. We strongly

encourage our customers to follow the recommendations provided by their

vendors for all operating systems they utilize.

All CA SaaS / On Demand products were either not vulnerable or have

already been patched.

CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does

not execute CGI scripts, or spawn or execute shell commands from within

the app. AHS infrastructure already patched.

CA Asset Portfolio Management

CA AuthMinder (Arcot WebFort)

CA AuthMinder for Business Users

CA AuthMinder for Consumers

CA AutoSys products - We use the bash shell that comes with the

operating system and the customer is responsible for patching their OS.

Additionally, the agents themselves do not distribute any scripts that

use bash.

CA Clarity On Demand

CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or

use it, but because we are deployed on RHEL, customers may be

indirectly affected. Customers using RHEL should apply patches provided

by Red Hat.

CA Console Management for OpenVMS - Our OpenVMS products do not bundle

bash, and they do not supply bash scripts; we use nothing but the

native DCL CLI.

CA ControlMinder

CA DataMinder (formerly DLP) products â?? Software and appliance

confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH

or Web apps are used in these agents. Customers should patch bash shell

on any Linux server with DataMinder agents. DataMinder agents should

continue to function normally.

CA Digital Payments SaaS (previously patched)

CA Directory

CA eCommerce SaaS / On Demand (previously patched)

CA Endevor Software Change Manager

CA Federation (formerly SiteMinder Federation)

CA GovernanceMinder

CA IdentityMinder

CA Infrastructure Management

CA JCLCheck

CA Job Management for OpenVMS - Our OpenVMS products do not bundle

bash, and they do not supply bash scripts; we use nothing but the

native DCL CLI.

CA NetQoS GigaStor Observer Expert

CA Network Flow Analysis

CA Performance Management for OpenVMS - Our OpenVMS products do not

bundle bash, and they do not supply bash scripts; we use nothing but

the native DCL CLI.

CA RiskMinder

CA Service Desk Manager

CA Service Operations Insight (SOI)

CA SiteMinder

CA SOLVE:Access

CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes

from your underlying operating system vendor.

CA Strong Authentication

CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle

bash, and they do not supply bash scripts; we use nothing but the

native DCL CLI.

CA Top Secret

CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do

not bundle bash, and they do not supply bash scripts; we use nothing

but the native DCL CLI.

CA Virtual Assurance for Infrastructure Managers (VAIM)

Solution

CA Technologies has issued the following fixes to address the

vulnerabilities.

CA API Management:

Patches for Linux appliance are available through CA Support to

customers of Gateway (applicable for all versions â?? 6.1.5, 6.2, 7.0,

7.1, 8.0, 8.1, 8.1.1, 8.1.02).

CA Application Performance Management:

KB article for APM TIM has been published. APM TIM is the only part of

APM that was affected. Refer to TEC618037.

CA Application Performance Management Cloud Monitor:

New images are available for subscribers. Download the latest OPMS

version 8.2.1.5. For assistance, contact CA Support.

CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM):

Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do

not use Bash at all for the CEM operating system that we have shipped

in the past. This means that customers who patch the OS will not impact

the ability of the CEM TIMsoft from operating. However prior to version

9.6, the TIM installation script does use the bash shell. See new KB

article TEC618037 for additional information.

CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal):

Fixes for all Bash vulnerabilities and a security bulletin are available

on the Layer 7 Support website.

CA User Activity Reporting Module (Enterprise Log Manager):

All 12.5 and 12.6 GA versions are potentially affected. Patches

provided on 2014-09-30. To get the patch, use the OS update

functionality to get the latest R12.6 SP1 subscription update. Note

that you can update R12.5 SPx with the R12.6 SP1 OS update. For

assistance, contact CA Support.

Workaround

None

To help mitigate the risk, we do strongly encourage all customers to

follow patch management best practices, and in particular for operating

systems affected by the Bash Shellshock vulnerabilities.

References

CVE-2014-6271 - Bash environment variable command injection

CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271

CVE-2014-7186 - Bash parser redir_stack memory corruption

CVE-2014-7187 - Bash nested flow control constructs off-by-one

CVE-2014-6277 - Bash untrusted pointer use uninitialized memory

CVE-2014-6278 - Bash environment variable command injection

CA20141001-01: Security Notice for Bash Shellshock Vulnerability

https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Change History

v1.0: 2014-10-01, Initial Release

v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM,

Clarity OD, All SaaS/OD products to list of Non-Affected Products.

v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated

UARM solution info.

If additional information is required, please contact CA Technologies

Support at https://support.ca.com.

If you discover a vulnerability in CA Technologies products, please

report your findings to the CA Technologies Product Vulnerability

Response Team at vuln (at) ca (dot) com. [email concealed]

PGP key:

support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Security Notices

https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Regards,

Ken Williams

Director, Product Vulnerability Response Team

CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com

Ken.Williams (at) ca (dot) com [email concealed] | vuln (at) ca (dot) com [email concealed]

Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.

11749. All other trademarks, trade names, service marks, and logos

referenced herein belong to their respective companies.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus