Here's some more (unofficial) information on the "Shellshock" security vulnerability. As always, please make sure you're subscribed to IBM's security alerts for timely and official advice.
The Bourne Again Shell (bash) is commonly included with Linux distributions, including Red Hat and Novell SuSE Linux distributions for zEnterprise all the way down to/including small embedded distributions of Linux contained in devices such as wireless routers and Web cameras. Please make sure you update bash throughout all your Linux- and UNIX-based environments, including embedded versions, to address both CVE-2014-6271 and CVE-2014-7169. I recommend prioritizing those environments that are network-facing, especially those that are externally reachable. As for z/OS, most z/OS customers are likely to be unaffected. However, as a notable exception, IBM has a version of bash for z/OS (Version 2.03) available for download as part of the Open Source Software for z/OS and OS/390 UNIX redbook published over a decade ago. IBM has always provided this particular collection of open source software "as-is," without any warranty or support. Nonetheless, some z/OS customers have installed and use these "as-is" open source tools, particularly in z/OS development LPARs. I recommend checking to make sure you do not have this version or any other vulnerable version of bash installed -- and to take action if you do. IBM provides both source code and binaries for this older version of bash, so if you'd like to patch and recompile bash to remove the security vulnerability, you can certainly do so on your own at your own risk (as with any other code changes you wish). I have no information about what IBM will do (if anything) about this "as-is" downloadable version of bash for z/OS. In practically all environments, including z/OS, it's theoretically possible that a software vendor embedded bash into their product(s) in some form. To my knowledge IBM has not done that. However, please monitor the official alert channels that your vendors provide. Theoretically hardware management consoles (HMCs) and appliances, which are often based on Linux, could contain bash. I have no such information that they do (and, if they do, whether this security vulnerability is exploitable in such contexts), but again please make sure you subscribe to IBM security alerts for the latest advice. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, zEnterprise Industry Solutions, AP/GCG/MEA -------------------------------------------------------------------------------------------------------- E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
