Bourne Again Shell (Bash) Remote Code Execution Vulnerability
Article ID: 54053
Article Type: Troubleshooting
Last Modified:
A vulnerability in Bash on Linux and UNIX Systems, dubbed the “Shellshock” bug, may allow remote attackers to execute arbitrary code. Commvault software vulnerability is limited.
Symptoms
Commvault software vulnerability is limited.
Web services (Apache Tomcat) used for Web Console, reports, and search engine is limited to Windows platforms and is not vulnerable to the Shellshock bug.
Software installation scripts for UNIX-like platforms use PDKSH and are not vulnerable to the Shellshock bug.
Backup and recovery operations may invoke shell commands. These commands cannot be executed externally. However, the commands do inherit shell environment variables, and if the environment variables have been previously compromised, Commvault software is vulnerable.
All customers are urged to immediately update/patch any Bash packages on UNIX, Linux, and OS X clients as soon as possible and follow the security recommendations from appropriate vendors to address this vulnerability as soon as possible: