Security Advisory- “Shellshock” - Security vulnerability – update September 29, 2014
Subject: “Shellshock” - Security vulnerability – update September 29, 2014 Overview
Overview
Ex Libris has been made aware of a recently discovered serious vulnerability that called “Shellshock”.
All Unix/Linux systems that use the Bash shell (a popular command-line shell) are vulnerable to the 'shellshock' exploit. This vulnerability allows remote attackers to remotely issue commands, start/stop processes or install code.
The vulnerability is covered by two NIST advisories in the National Vulnerability Database, CVE-20146271 and CVE-2014-7169 where more information is available.
In addition more detailed analysis of the vulnerability is available from RedHat - https://securityblog.redhat.com/2014...jection-attack.
Patches have been released to fix this vulnerability by major Linux /Unix vendors for affected versions.
Effective Security Severity level:
Critical
Affected systems:
All Ex Libris systems/products running on Unix/Linux.
Tests and certifications:
Ex Libris has evaluated Ex Libris products for potential vulnerability and performed certification testing with the available patches for all Ex Libris systems/products running on Unix/Linux. It was determined that the available patches can be safely deployed with no impact to Ex Libris systems/products.
Actions taken for Hosted systems:
Ex Libris deployed the patch on all the systems running in the Ex Libris Cloud. Status: Completed.
Required actions for on-premise/local systems:
Ex Libris strongly recommend following the instructions and installing the patch on Ex Libris products onpremise/locally using Linux/Unix systems .
For Linux system:
1. First stage: determine vulnerability to “Shellshock”
- Check if your system is vulnerable – To determine this you need to review the version of Bash – please follow the instructions here:
Reference: https://access.redhat.com/solutions/1207723
2. Second stage: Mitigating the vulnerability
- If your system is vulnerable, you need to upgrade to the most recent version of the Bash
- Run the command “yum –y upgrade bash “and install the latest Bash version. O/S patches should run as a Root user.
Revert changes:
Is there rollback plan, in case of a problem?
- Run the command “yum downgrade bash “and revert to Bash version before latest version.
For UNIX system (Oracle Solaris):
1. First stage: Determine vulnerability to “Shellshock”
- Check if your system is vulnerable – To determine this you need to review the version of Bash –
please follow the instructions here:
Reference (note that login to Oracle website is required): https://support.oracle.com/epmos/fac...y?id=1930090.
2. Second stage: Mitigating the vulnerability
- Run and install the patch using 'patchadd' and 'patchrm' commands provided with Solaris from the reference. Detailed instructions in Oracle website. O/S patches should run as a Root user.
- After the O/S patch is installed ,please remove the bash directory deployed by Exlibris following those commands :
find /exlibris/product -name bash -exec rm -f {} \; ( run it once on the server) rm $aleph_dev/product/bin/bash (run it on each slot in the server)
(This example is for Aleph product, for other products replace $aleph_dev with $arc_dev $primo_dev $metalib_dev etc.)
Revert changes:
Is there rollback plan, in case of a problem?
- Use 'patchrm' commands provided with Solaris from the reference. Detailed instructions in Oracle website.
For UNIX system (AIX):
Reference: http://www-01.ibm.com/support/docvie...d=isg3T1021272
1. First stage: Determine vulnerability to “Shellshock”
- Check if your system is vulnerable – To determine this you need to review the version of Bash – please follow the instructions here:
2. Second stage: Mitigating the vulnerability
- Please download the latest bash including the fix from the Reference link and install it
Record of Changes
| Type of information | Document Data |
|---|---|
|
Document Title: |
Security Advisory- “Shellshock” - Security Vulnerability Update |
|
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
|
Approved by: |
Barak Rozenblat – VP Cloud Services |
|
Issued: |
Mar 16, 2014 |
|
Reviewed & Revised: |
Sep 27, 2014 |
Revision Control
| Version Number | Nature of Change | Date Approved |
|---|---|---|
|
Initial version |
Mar 16, 2014 |
|
|
1.1 |
Update |
Sep 27, 2014 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver