Bourne Again Shell (Bash) Remote Code Execution Vulnerability

A vulnerability in Bash on Linux and UNIX Systems, dubbed the “Shellshock” bug, may allow remote attackers to execute arbitrary code. Commvault software vulnerability is limited.

Symptoms

Commvault software vulnerability is limited.

• Web services (Apache Tomcat) used for Web Console, reports, and search engine is limited to Windows platforms and is not vulnerable to the Shellshock bug.
• Software installation scripts for UNIX-like platforms use PDKSH and are not vulnerable to the Shellshock bug.
• Backup and recovery operations may invoke shell commands. These commands cannot be executed externally. However, the commands do inherit shell environment variables, and if the environment variables have been previously compromised, Commvault software is vulnerable.
• File level recovery appliance contains prepackaged Linux distributions which may have been vulnerable and have been patched. The patches are available from the Cloud Services site and from Maintenance Advantage.

Resolution

All customers are urged to immediately update/patch any Bash packages on UNIX, Linux, and OS X clients as soon as possible and follow the security recommendations from appropriate vendors to address this vulnerability as soon as possible:

For Linux:

• Debian - https://www.debian.org/security/2014/dsa-3032
• Ubuntu - http://www.ubuntu.com/usn/usn-2362-1/
• Red Hat - https://access.redhat.com/articles/1200223
• CentOS - http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
• Novell/SuSE - http://support.novell.com/security/cve/CVE-2014-6271.html
• For any other Linux/UNIX distributions, check with respective vendors.

For Mac OS X:

• Mac OS X versions have this Bash vulnerability. We urge our customers to install the latest update from Apple when it is available.

For more information about this vulnerability, refer to the Department of Homeland Security page about this issue.