Bash Security Alert September 2014

Summary

A security vulnerability in the bash shell, the command-line shell used by the Linux operating system, could leave systems running those operating systems open to exploitation by specially crafted attacks.

Epicor’s Response

We have reviewed the Eclipse software and verified that none of our products are directly affected by this vulnerability.

Customer Action

While the Eclipse software is not directly affected by this vulnerability, we highly recommend that our customers take the following actions to safeguard their servers:

  1. Install the updated bash software update as soon as possible, using the command
    yum update bash
  2. Do not make the Linux server directly accessible on the Internet. Use a VPN to remotely access the server.
  3. Continue to install Red Hat software updates on a regular basis.

For more information, please read the following articles on Red Hat’s website:

FAQ

Q: Are web services that indirectly access the Linux database server affected?

A. No. Eclipse doesn’t use the affected Apache web server on Linux. Web services that use fastcgi (e.g. WOE, Web Integration) that run on the Windows IGATE server access the UniVerse SOCKET server, which isn’t affected. Web services that access JBoss on the database server (e.g. POD, JM) aren’t affected.

Q. The yum update tool is not working. Can I manually install the updated bash software?

A. Yes, you may use one of the alternative mirrors below:

For servers running RHEL 5:

rpm -Uvh http://f.cl.ly/items/0v0V430R0b3a3j3M4344/bash-3.2-33.el5_11.4.x86_64.rpm

For servers running RHEL 6:

rpm -Uvh http://f.cl.ly/items/3p083T2f1j3b191x423d/bash-4.1.2-15.el6_5.2.x86_64.rpm

Q. How do I test to see if my server is vulnerable?

A. Run this command:

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If you see the word “vulnerable” echoed back, then your system needs to be updated. If you only see “this is a test,” then your system has been patched.