eva.tuczai

Security Notice: UPDATE: Patch for bash vulnerability aka Shell Shock CVE-2014-6271 and CVE-2014-7169

Blog Post created by eva.tuczai on Sep 26, 2014

VMTurbo announced yesterday in this post the bash command injection vulnerability aka Shell Shock, and the openSUSE project has made available a patch addressing CVE-2014-6271 and as of 9/29 2PM Eastern also for CVE-2014-7169.  This article provides information on how to apply the patch either directly from openSUSE or as an offline package from VMTurbo.

 

The patch for both CVE-2014-6271 (patch openSUSE-559-1) and for CVE-2014-7169 (patch openSUSE-563-1) are as of  Sept 29th contain exactly the update, so applying either of them as of Sept 29 PM will work - you do not need to do both.  IF YOU APPLIED CVE-2014-6271 (patch openSUSE-559-1) on or before the afternoon of MONDAY SEPT 29 2014 you will need to apply the fix for CVE-2014-7169 (patch openSUSE-563-1).

 

 

If your VMTurbo Server has Internet Access

 

Step 1: Confirm your operating system is v12.3.  If it is not, please refer to please refer to this KB article for more information on how to deploy a new VMTurbo Server, and migrate the data from the old one. 

To check the version of your OS, SSH into the VMTurbo server as root, and then type in the following command and look at the response:

vmturbo:~ # more /etc/SuSE-release

openSUSE 12.3 (x86_64)

VERSION = 12.3

CODENAME = Dartmouth

 

Step 2: List out and then apply the update.   Log into your VMTurbo Server via SSH using the root user id and password (default is vmturbo).  You may review the updates related to the Shell Shock CVE using the "zypper list-patches" command and supply the CVE that is currently updated. (See comment below to ignore the java repo if not found)

 

vmturbo:~ # zypper list-patches --cve=CVE-2014-7169

Loading repository data...

Reading installed packages...

 

Issue | No.           | Patch               | Category | Status

------+---------------+---------------------+----------+-------

cve   | CVE-2014-7169 | openSUSE-2014-563-1 | security | needed

 

Step 3: Now to apply this update use "zypper patch"  (See comment below to ignore the java repo if not found)

The patch for both CVE-2014-6271 (patch openSUSE-559-1) and for CVE-2014-7169 (patch openSUSE-563-1) are as of today exactly the same, so applying either of them today will work - you do not need to do both.  IF YOU APPLIED CVE-2014-6271 (patch openSUSE-559-1) on or before the afternoon MONDAY SEPT 29 2014 you will need to apply the fix for CVE-2014-7169 (patch openSUSE-563-1).

 

vmturbo:~ # zypper patch --cve=CVE-2014-7169

File '/repodata/repomd.xml' not found on medium 'http://download.opensuse.org/repositories/Java:sun:Factory/openSUSE_Factory'

 

Abort, retry, ignore? [a/r/i/? shows all options] (a): i

Do you want to disable the repository Java:sun:Factory_openSUSE_Factory permanently? [yes/no] (no):

Disabling repository 'Java:sun:Factory_openSUSE_Factory'.

Loading repository data...

Reading installed packages...

Resolving package dependencies...

 

The following NEW patch is going to be installed:

  openSUSE-2014-563

 

The following packages are going to be upgraded:

  bash libreadline6

 

2 packages to upgrade.

Overall download size: 459.1 KiB. After the operation, additional 4.0 KiB will be used.

Continue? [y/n/? shows all options] (y):

Retrieving package libreadline6-6.2-61.15.1.x86_64                                                                                             (1/2), 127.8 KiB (316.1 KiB unpacked)

Retrieving: libreadline6-6.2-61.15.1.x86_64.rpm ..............................................................................................................................[done]

Retrieving package bash-4.2-61.15.1.x86_64                                                                                                     (2/2), 331.3 KiB (683.6 KiB unpacked)

Retrieving: bash-4.2-61.15.1.x86_64.rpm ......................................................................................................................................[done]

(1/2) Installing: libreadline6-6.2-61.15.1 ...................................................................................................................................[done]

(2/2) Installing: bash-4.2-61.15.1 ...........................................................................................................................................[done]

 

 

Step 4: Validate that both issues are resolved.  Use the following commands and compare your responses to the ones below.  If the responses match, you are done and the 2 known issues are resolved.

 

vmturbo:/tmp # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

this is a test

vmturbo:/tmp # rm echo

vmturbo:/tmp # env X='() { (a)=>\' sh -c "echo date"; cat echo

date

cat: echo: No such file or directory

 

This will complete the update. No need to restart any services.

 

 

If your VMTurbo Server does not have Internet Access

 

IF YOU APPLIED this offline update on or before the afternoon MONDAY SEPT 29 2014 you will need to re-apply the fix for CVE-2014-7169 (patch openSUSE-563-1).

 

VMTurbo has provided the openSUSE-2014-559 patch as a VMTurbo offline update, which you can apply in the same manner as any VMTurbo patch.  Refer to this KB article for more details on how to use the VMTurbo offline update utility.  NOTE: You will obtain the offline update patch here, and not from the article.

 

Step 1: Confirm your operating system is v12.3.  If it is not, please refer to please refer to this KB article for more information on how to deploy a new VMTurbo Server, and migrate the data from the old one. 

To check the version of your OS, SSH into the VMTurbo server as root, and then type in the following command and look at the response:

vmturbo:~ # more /etc/SuSE-release

openSUSE 12.3 (x86_64)

VERSION = 12.3

CODENAME = Dartmouth

 

Step 2: Download the update from here.

 

Step 3: Use the update.html page to apply the offline update.  Refer to this KB article for more details on how to use the VMTurbo offline update utility.

 

Step 4: Validate that both issues are resolved.  Use the following commands and compare your responses to the ones below.  If the responses match, you are done and the 2 known issues are resolved.

 

vmturbo:/tmp # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

this is a test

vmturbo:/tmp # rm echo

vmturbo:/tmp # env X='() { (a)=>\' sh -c "echo date"; cat echo

date

cat: echo: No such file or directory

 

 

This will complete the update. No need to restart any services.

 

 

Any questions please open a ticket with VMTurbo Support.

 

Thank you!

VMTurbo Product Management and Support

Outcomes