[BESAdmin-Announcements] GNU Bash "Shell Shock" Vulnerability Detection via BigFix

[Announcements for BES Administrators]

Dear BigFix Customers,

A serious vulnerability in the GNU Bash shell was announced today that 
affects most Unix and Unix-like operating systems. This vulnerability does 
not affect IBM Endpoint Manager directly but given the seriousness and 
pervasiveness of the vulnerability the BigFix team thought it important 
that our customers be aware of this issue. 

The so called "Shell Shock" vulnerability is covered by two CVEs:
        http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
        http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

The vulnerability was discovered by Stephane Chazelas and announced on the 
OSS-SEC mailing list (in addition to other security forums):
        http://seclists.org/oss-sec/2014/q3/649


There are two ways the BigFix team is helping your organization deal with 
this vulnerability:

First, we have published a detection Task and Analysis which are available 
in the Patching Support content site. This content was published in 
Patching Support v250, the Task and Analysis are named:
 
        Task 1828: Check for "Shell Shock" bash Vulnerability 
(CVE-2014-7169)
        Analysis 1829: "Shell Shock" bash Vulnerability (CVE-2014-7169) 
Status

Both the Task and Analysis need to be enabled to determine if your systems 
are running a vulnerable version of the Bash shell.

Second, as patches become available from Operating System vendors we will 
be quickly incorporating those patches into the content sties for those 
specific Operating Systems.

Here is an updated status as of September 26 with patch content related to the bash vulnerability.

Patches for AIX - AIX does not include bash. Updates for third party installs of bash are not currently provided.
Patches for CentOS 5 - Fixlet has been generated, but it's for the 1st vulnerability. Will publish it later today and check tomorrow to see if the new patch has been released.
Patches for CentOS 6 - Fixlet has been generated, but it's for the 1st vulnerability. Will publish it later today and check tomorrow to see if the new patch has been released.
Patches for HPUX - HPUX does not include bash. Updates for third party installs of bash are not currently provided.
Patches for RHEL 5 - Published in site v456 (1st vulnerability). New patch will be published tomorrow.
Patches for RHEL 5 - Dependency Resolution - Published in site v221 (1st vulnerability). New patch will be published tomorrow.
Patches for RHEL 6 - Dependency Resolution - Published in site v256 (1st vulnerability). New patch will be published tomorrow.
Patches for SLE 11 - Published in site v346
Patches for SLE 11 System Z - Published in site v264
Patches for zLinux - Published in site v481 (1st vulnerability). New patch will be published tomorrow.
Patches for Mac - Still no word from Apple.
Patches for RHEL 5/6 Native Tools - Published in  both sites, v94
Patches for SLE 11 Native Tools - Published in site v26
Patches for Solaris - Still no word from Oracle.
Patches for Ubuntu - Published

Sincerely,

The IBM Endpoint Manager Application Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20140925/c91e134b/attachment.html>