202 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Update: IBM Notes on MacOS High Sierra Support
Thu, Nov 30th 2017 12
Last Chance for Nominating IBM Champions
Thu, Nov 30th 2017 10
IBM Domino and Docker Support Announced
Wed, Aug 16th 2017 10
Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey
Tue, Aug 15th 2017 5
IBM Think 2018 Session Abstract Submission Date Announced
Mon, Aug 14th 2017 10
MWLUG - Linuxfest DC Guest Speaker Announced
Wed, Aug 2nd 2017 4
"As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"
Sat, Jul 1st 2017 3
Top 10
Skype 4.3 on Linux Crashing? Here’s a Fix.
Tue, Aug 5th 2014 31
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 14
Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)
Thu, Sep 25th 2014 12
Update: IBM Notes on MacOS High Sierra Support
Thu, Nov 30th 2017 12
IBM Mobile Connect POODLE Fix
Mon, Nov 3rd 2014 11
"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit
Fri, May 22nd 2015 11
IBM Verse On-premises Architecture and Insight
Wed, Aug 3rd 2016 10
IBM Think 2018 Session Abstract Submission Date Announced
Mon, Aug 14th 2017 10
IBM Domino and Docker Support Announced
Wed, Aug 16th 2017 10
Last Chance for Nominating IBM Champions
Thu, Nov 30th 2017 10


Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Bill Malchisky    

This is ugly, but fortunately you just have to update to a fixed Bash version and your fine (for now). No need to reboot your system either. Red Hat is out early on this and escalated this appropriately. Their first round of updates got all but one exploit permutation, so they re-issued another bug identifier and are working to close it soon.

Their initial timeline: Red Hat announced the bug on 14 Sep, had a proposed upstream patch seven hours later (0500h 15 Sep), backported it to Bash 3.0, 3.1, 3,2, 4.0, 4.1, and 4.2 three days later on 18 Sep; announced the release 1h later and made it public with an updated issue description six hours after that. Pretty impressive. On the 24th, Red Hat provided public documentation on this matter; six hours later it was reported that the fix is missing one exploit, so they are working to resolve that as I write this post. Things move fast in the world of open source.

Impact Statement
from Red Hat, provides direct prose for the next two sections. "Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)"

Abstract Update

Red Hat has become aware that the patch for
CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.

How does this impact systems

This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
All versions prior to those listed as updates for this issue are vulnerable to some degree.


Test If You Have The Bug

malchw@san-domino:~/Documents/$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


Positive Result

vulnerable

this is a test


Negative Result

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


Notations

1. Your response may be something similar and be just fine; the difference is getting noise versus a clean response as the positive result indicates
2. Run this check on any Apple Mac product running OS X, as tests show Macs are vulnerable too

Mitigation

Red Hat's Security Blog has a detailed analysis of which programs utilizing Bash can cause issues and why. "Bash specially-crafted environment variables code injection attack"


Resolution

Ideally, you need to be running bash-4.1.2-15 with current RHEL versions. Despite the bug's significance, the fix is really easy.
RHEL: #yum clean all && yum update bash
On my older RHEL 5 box: # rpm -Uvh bash-3.2-33.el5.1.i386.rpm

CentOS: #yum clean all && yum update bash
Ubuntu: $update-manager -or- $sudo apt-get update

If you know the version number, you can always specify it too (package name example is for RHEL6.5)
# yum update bash-4.1.2-15.el6_5.1


-OR-
Get the update manually and update the RPM -> https://rhn.redhat.com/rhn/errata/details/Packages.do?eid=27888

Note
: the "clean all" parameter above tells yum to clean all cached data, ensuring that bash can be updated more reliably, particularly with older systems; it may be considered optional on current systems


Distro Provided Resolution Documents

CentOS posted a document on the exploit and obtaining fixes through their list serv, "[CentOS] Critical update for bash released today."
Red Hat's is here: "Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux"
Novell/SUSE; bug report with patches here
Debian
Ubuntu

Example Output - CentOS 6.5

[root@localhost ~]# yum clean all && yum update bash

Loaded plugins: fastestmirror, refresh-packagekit, security

Cleaning repos: base extras updates

Cleaning up Everything

Cleaning up list of fastest mirrors

Loaded plugins: fastestmirror, refresh-packagekit, security

Determining fastest mirrors

* base: centos.chi.host-engine.com

* extras: cosmos.cites.illinois.edu

* updates: mirror.atlanticmetro.net

base                                                     | 3.7 kB     00:00    
base/primary_db                                          | 4.4 MB     00:05    
extras                                                   | 3.3 kB     00:00    
extras/primary_db                                        |  19 kB     00:00    
updates                                                  | 3.4 kB     00:00    
updates/primary_db                                       | 5.3 MB     00:06    
Setting up Update Process

Loaded plugins: fastestmirror, refresh-packagekit, security

Loading mirror speeds from cached hostfile

* base: mirrors.lga7.us.voxel.net

* extras: mirror.es.its.nyu.edu

* updates: centos.aol.com

Setting up Update Process

Resolving Dependencies

--> Running transaction check

---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated

---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update

--> Finished Dependency Resolution


Dependencies Resolved

================================================================================

Package       Arch            Version                   Repository        Size

================================================================================

Updating:

bash          x86_64          4.1.2-15.el6_5.1          updates          905 k


Transaction Summary

================================================================================

Upgrade       1 Package(s)


Total download size: 905 k

Is this ok [y/N]: y

Downloading Packages:

bash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00    
Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
Cleanup    : bash-4.1.2-15.el6_4.x86_64                                   2/2
Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
Verifying  : bash-4.1.2-15.el6_4.x86_64                                   2/2

Updated:

bash.x86_64 0:4.1.2-15.el6_5.1                                                


Complete!



Quick and Dirty Work-around
, provided by Jake DePoy
# iptables --append INPUT -m string --algo kmp --hex-string '|28 29 20 7B|' --jump DROP


The Red Hat Customer Portal indicates the risk with the above work-around,
"Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability."

---------------------
http://www.BillMal.com/billmal/billmal.nsf/dx/patch-bash.htm
Sep 25, 2014
13 hits



Recent Blog Posts
12
Update: IBM Notes on MacOS High Sierra Support
Thu, Nov 30th 2017 9:00a   Bill Malchisky Jr.
Ever since Apple released High Sierra (macOS 10.13) on 25 September 2017, there have been some interesting hiccups with certain network reliant products. I’ve worked with people on resetting encryption key rings for VPN tools and IPSEC connections, as one example. On the IBM side and as many of you know, Notes on Mac x64 has been a challenge (Including other IBM products). In working very closely with IBM on this issue, I wanted you to know the latest status. Issue Summary 1. If you ins
10
Last Chance for Nominating IBM Champions
Thu, Nov 30th 2017 6:01a   Bill Malchisky Jr.
Just a quick reminder that today, 30 November 2017 is the last day to nominate someone (or re-nominate yourself) for the status of IBM Champion. IBM Champions Nomination Form Additional Links Of Interest Information on the IBM Champion Program Seven Ways To Know An IBM Champion
10
IBM Domino and Docker Support Announced
Wed, Aug 16th 2017 2:00a   Bill Malchisky Jr.
During Barry Rosen's Future directions on Notes/Domino session and again during our Linuxfest DC session last week at MWLUG, IBM announced that they will support Domino on Docker with Domino 9.0.1 FP10. Originally, this support would be announced in 2018, but due to the success of the IBM Application Insights Survey announced at Engage, IBM changed their task priorities and accelerated Docker support based upon your input. FP10 is scheduled to be released by EOY 2017. The next question is,
5
Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey
Tue, Aug 15th 2017 2:00a   Bill Malchisky Jr.
After the success of the first IBM survey announced at our IBM Engage session in May (see link to post)---which helped to re-prioritize new capabilities like Docker---Barry Rosen announced a new survey at MWLUG. I completed it and am pleased with this survey's focus on APIs, app modernization, along with creating a new feeling that IBM is serious about Domino as an application development platform. The first survey results really had an impact and moved up significantly Docker support (more
10
IBM Think 2018 Session Abstract Submission Date Announced
Mon, Aug 14th 2017 2:00a   Bill Malchisky Jr.
IBM announced that commencing on 21 Aug 2017, you can submit abstracts for IBM Think 2018. As of this writing, there does not appear to be information on session tracks, other than a pop-up informing prospective presenters to be creative. As I've watched the conference site frequently over the past few weeks, no additional information being available on tracks, implies to me we will learn this on Monday, 21 Aug. Thus, if you are considering submitting a session, you can start thinking about wha
4
MWLUG - Linuxfest DC Guest Speaker Announced
Wed, Aug 2nd 2017 9:31a   Bill Malchisky Jr.
On Thursday, 10 Aug 2017, I will be presenting Linuxfest DC at this year's MWLUG located in DC. In order to provide an informative experience for attendees, I sought a special guest speaker to join me. Today, I am pleased to announce Barry Rosen will be co-presenting with me for an extended special breakfast session. We will be covering IBM's current Linux strategy, plus provide technical information to ensure that all session attendees gain knowledge they can use immediately upon returning fr
3
"As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"
Sat, Jul 1st 2017 3:40a   Bill Malchisky Jr.
Well, I inadvertently held this post, so let's publish it now. In early 2016---in his then 56th consecutive year of skiing at Alta and Snowbird in Utah---Mr. George Jedenoff at the age of 98 took a few minutes to discuss his Powder Philosophy. A positive uplifting message that will leave you with a smile. Worth a few minutes to view and learn a bit from his years of wisdom. He still rips groomers and fresh powder, while also enjoying tree skiing--again at 98 years old. Stay healthy, believe
2
Do You Have An Opinion on the Domino Application Platform Direction? Read This.
Thu, May 18th 2017 6:15a   Bill Malchisky Jr.
As Barry Rosen mentioned during our Engage session last week, ICS Offering Management is seeking feedback around the Domino application platform. This opportunity is significant enough that I felt it appropriate to author a separate post. Currently, IBM is looking for feedback in the areas of APIs, XPages, Domino on Bluemix, Docker, and well, anything else you want to add in the development space. I took the survey and found it to be straight forward with plenty of opportunity to provide you
6
The ICS on Linux Round Table Session Notes
Mon, May 15th 2017 6:00a   Bill Malchisky Jr.
Great session last Monday. We filled the table with overflow and discussed many good topics raised by the attendees. Below are the notes and some of the URLs cited during the event. Please feel free to comment and keep the discussion going. IBM Notes FP7 is the last update for the Linux client;, no further feature packs will be offered for the Linux client Support will be best effort from here and will continued to be support up to 9.0.1 FP7 on thee then current set of operating systems.
2
"Why the Largest Companies in the World Count on Linux Servers"
Tue, May 9th 2017 3:00a   Bill Malchisky Jr.
I read this morning a great piece in Linux Journal by Petros Koutoupis. The author's name being new to me, I read the article with an open mind. What I found is this introductory level article offered a decent dissection of this important topic. As I've covered over the years in my Lotus on Linux Report presentation series, more companies outside of Microsoft use Linux for their edge servers than any other operating system. That data point continues to this day. Additionally, despite recent de




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition