Article Original Creation Date: 2015-01-23
Overview
Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.
ServiceGateway uses
/bin/sh
for all its scripts, for the ServiceGateway application. Any variant of Bash (tcsh, ksh, csh, sh, etc.) is compatible.The article details the process to check servers for vulnerability and effect of Bash updates on an existing installation.
Environment
- Solaris 10 on Sparc
- ServiceGateway (SG) 4.2.2
- JBoss 4.0.4.GA
\xa0
Information
To check if\xa0 any\xa0ServiceGateway (SG) server is vulnerable, execute the command mentioned below:
bash-3.00# env x=\'() { :;}; echo vulnerable\' bash -c "echo this is a test"
The server is vulnerable if the above command gives the following output:
vulnerable
this is a test
In this case, update the Bash to the latest secure version or install the available security patches.
Updating Bash will not introduce any new issue in the existing installations.
\xa0
The following page from Oracle contains a list of all of their vulnerable products and any available patches: Bash "Shellshock" Vulnerabilities - CVE-2014-7169.
Confirmation
After updating Bash to the latest secure version, the command:
bash-3.00# env x=\'() { :;}; echo vulnerable\' bash -c "echo this is a test"
will return the following output:
this is a test
\xa0
\xa0