Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Security Update - “Shellshock” - Security vulnerability – update September 29, 2014

    Subject: “Shellshock” - Security vulnerability – update September 29, 2014 Overview

    Overview

    Ex Libris has been made aware of a recently discovered serious vulnerability that called “Shellshock”.

    All Unix/Linux systems that use the Bash shell (a popular command-line shell) are vulnerable to the 'shellshock' exploit. This vulnerability allows remote attackers to remotely issue commands, start/stop processes or install code. 

    The vulnerability is covered by two NIST advisories in the National Vulnerability Database, CVE-20146271 and CVE-2014-7169 where more information is available. 

    In addition more detailed analysis of the vulnerability is available from RedHat - https://securityblog.redhat.com/2014...jection-attack.

    Patches have been released to fix this vulnerability by major Linux /Unix vendors for affected versions.

    Effective Security Severity level:

    Critical  

    Affected systems:

    All Ex Libris systems/products running on Unix/Linux.

    Tests and certifications:

    Ex Libris has evaluated Ex Libris products for potential vulnerability and performed certification testing with the available patches for all Ex Libris systems/products running on Unix/Linux. It was determined that the available patches can be safely deployed with no impact to Ex Libris systems/products.

    Actions taken for Hosted systems:

    Ex Libris deployed the patch on all the systems running in the Ex Libris Cloud.  Status: Completed.

    Required actions for on-premise/local systems:

    Ex Libris strongly recommend following the instructions and installing the patch on Ex Libris products onpremise/locally using Linux/Unix systems .

    For Linux system:

    1. First stage: determine vulnerability to “Shellshock”

    Reference: https://access.redhat.com/solutions/1207723

    2. Second stage: Mitigating the vulnerability

    •  If your system is vulnerable, you need to upgrade to the most recent version of the Bash  
    •  Run the command “yum –y upgrade bash “and install the latest Bash version. O/S patches should run as a Root user.

    Revert changes:

    Is there rollback plan, in case of a problem?

    • Run the command “yum downgrade bash “and revert to Bash version before latest version.
    For UNIX system (Oracle Solaris):

    1. First stage: Determine vulnerability to “Shellshock”  

    Reference (note that login to Oracle website is required): https://support.oracle.com/epmos/fac...y?id=1930090.


    2. Second stage: Mitigating the vulnerability

    • Run and install the patch using 'patchadd' and 'patchrm' commands provided with Solaris from the reference. Detailed instructions in Oracle website. O/S patches should run as a Root user.
    • After the O/S patch is installed ,please remove the bash directory deployed by Exlibris following those commands :
      find /exlibris/product -name bash -exec rm -f {} \; ( run it once on the server)   rm $aleph_dev/product/bin/bash  (run it on each slot in the server)

    (This example is for Aleph product, for other products replace $aleph_dev with $arc_dev $primo_dev $metalib_dev etc.)  
        
    Revert changes:

    Is there rollback plan, in case of a problem?

    • Use  'patchrm' commands provided with Solaris from the reference. Detailed instructions in Oracle website.
    For UNIX system (AIX):

    Referencehttp://www-01.ibm.com/support/docvie...d=isg3T1021272

    1. First stage: Determine vulnerability to “Shellshock”  

    2. Second stage: Mitigating the vulnerability

    •  Please download the latest bash including the fix from the Reference link and install it

     

    Record of Changes

    Type of information Document Data

    Document Title:

    Security Update - “Shellshock” - Security Vulnerability Update

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Barak Rozenblat – VP Cloud Services

    Issued:

    Mar 16, 2014

    Reviewed & Revised:

    Sep 27, 2014

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Mar 16, 2014

    1.1

    Update

    Sep 27, 2014

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver