On Fri, Sep 26, 2014 at 5:42 AM, Timothy Sipples <[email protected]> wrote: > Here's some more (unofficial) information on the "Shellshock" security > vulnerability. As always, please make sure you're subscribed to IBM's > security alerts for timely and official advice. > > The Bourne Again Shell (bash) is commonly included with Linux > distributions, including Red Hat and Novell SuSE Linux distributions for > zEnterprise all the way down to/including small embedded distributions of > Linux contained in devices such as wireless routers and Web cameras. Please > make sure you update bash throughout all your Linux- and UNIX-based > environments, including embedded versions, to address both CVE-2014-6271 > and CVE-2014-7169. I recommend prioritizing those environments that are > network-facing, especially those that are externally reachable. > > As for z/OS, most z/OS customers are likely to be unaffected. However, as a > notable exception, IBM has a version of bash for z/OS (Version 2.03) > available for download as part of the Open Source Software for z/OS and > OS/390 UNIX redbook published over a decade ago. IBM has always provided > this particular collection of open source software "as-is," without any > warranty or support. Nonetheless, some z/OS customers have installed and > use these "as-is" open source tools, particularly in z/OS development > LPARs. I recommend checking to make sure you do not have this version or > any other vulnerable version of bash installed -- and to take action if you > do. IBM provides both source code and binaries for this older version of > bash, so if you'd like to patch and recompile bash to remove the security > vulnerability, you can certainly do so on your own at your own risk (as > with any other code changes you wish). I have no information about what IBM > will do (if anything) about this "as-is" downloadable version of bash for > z/OS.
As a bit of an aside, I used the source IBM supplied for the 2.03 version to port the 4.2.0(4) version to z/OS. This version is on the CBTTape.org site and it __IS__ vulnerable. When I find a patch which fits and get the time, I do plan to update the z/OS port of 4.2. I've been going down rabbit holes on another project right now. The only way that I can see this as an exploit might be if someone used BASH in a CGI. > > In practically all environments, including z/OS, it's theoretically > possible that a software vendor embedded bash into their product(s) in some > form. To my knowledge IBM has not done that. However, please monitor the > official alert channels that your vendors provide. > > Theoretically hardware management consoles (HMCs) and appliances, which are > often based on Linux, could contain bash. I have no such information that > they do (and, if they do, whether this security vulnerability is > exploitable in such contexts), but again please make sure you subscribe to > IBM security alerts for the latest advice. > > -------------------------------------------------------------------------------------------------------- > Timothy Sipples > IT Architect Executive, zEnterprise Industry Solutions, AP/GCG/MEA > -------------------------------------------------------------------------------------------------------- -- There is nothing more pleasant than traveling and meeting new people! Genghis Khan Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
