Wednesday, October 1, 2014

Bash security alert on Exadata/Oracle Linux

There is a new security issue named "Bash Shell Shock" also documented as CVE-2014-6271/CVE-2014-7169.

Shellshock is the nickname for a flaw in Bourne Shell, or Bash, which is commonly used on Oracle Enterprise Linux (OEL). The Bash Shell Shock vulnerability allows remote attackers to write to files or possibly have unknown other impact.

On database nodes, obtain and update updated bash package using the following version, or later:

This package may be obtained via

To install this package on DB nodes, the exadata-sun-computenode-exact RPM must be removed first. If using Exadata DB server image version or later, first run this command: rpm -e exadata-sun-computenode-exact

Then, use this command on all releases to install the updated rpm.
rpm -Uvh <new bash rpm>

To install this package on storage cells (supported as an exception for this CVE only), install using "rpm -Uvh --nodeps <path to bash rpm>"

Stay up to date by regularly check My Oracle Support(MOS) Note for the latest security finding.

Responses to common Exadata security scan findings (Doc ID 1405320.1)

The following command can be used to see if you are affected by the issue, if the command returns vulnerable then you are at risk.

[root@localhost ~]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; e                                                     cho vulnerable' bash -c "echo this is a test"
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
this is a test

Below I have included the before and after results of removing the Shell shock issue from a OEL server.

[root@localhost ~]# yum update bash
Loaded plugins: downloadonly, security
public_ol6_UEKR3_latest                                                                                       | 1.2 kB     00:00
public_ol6_latest                                                                                             | 1.4 kB     00:00
public_ol6_latest/primary                                                                                     |  41 MB     00:37
public_ol6_latest                                                                                                        26205/26205
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.2 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

 Package                 Arch                      Version                                Repository                            Size
 bash                    x86_64                    4.1.2-15.el6_5.2                       public_ol6_latest                    905 k

Transaction Summary
Upgrade       1 Package(s)

Total download size: 905 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.2.x86_64.rpm                                                                              | 905 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : bash-4.1.2-15.el6_5.2.x86_64                                                                                      1/2
  Cleanup    : bash-4.1.2-15.el6_4.x86_64                                                                                        2/2
  Verifying  : bash-4.1.2-15.el6_5.2.x86_64                                                                                      1/2
  Verifying  : bash-4.1.2-15.el6_4.x86_64                                                                                        2/2

  bash.x86_64 0:4.1.2-15.el6_5.2

[root@localhost ~]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
this is a test
[root@localhost ~]#

No comments:

Post a Comment