Oracle Security Alert for CVE-2014-7169

Description

This Security Alert addresses multiple publicly disclosed vulnerabilities affecting GNU Bash, specifically CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278. GNU Bash is a popular open source command line shell incorporated into Linux and other widely used operating systems. These vulnerabilities affect multiple Oracle products. These vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. A remote user can exploit these vulnerabilities to execute arbitrary code on systems that are running affected versions of Bash.

For this document, the vulnerabilities listed above will be referred to collectively as CVE-2014-7169.

Oracle is investigating and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against these vulnerabilities. This Security Alert and the product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.

Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169 and the related vulnerabilities, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.

Affected Products and Versions

Please refer to Bash Vulnerabilities - CVE-2014-7169 for a list of Oracle products and versions that are affected by these vulnerabilities. That page will be updated when new information becomes available.

Patch Availability

Patch availability information related to these vulnerabilities can be found on the Bash Vulnerabilities - CVE-2014-7169 page. Note that in some instances, the instructions on this page or references from this page may include important steps to take before and after the application of the relevant patch.

Supported Products and Versions

Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.

Products in Extended Support

Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.

References

Modification History

Date Comments
2014-September-26 Rev 1. Initial Release
2014-September-27 Rev 2. Fixes available for Exalogic
2014-September-28 Rev 3. Tables modified for products affected with and without fixes
2014-September-29 Rev 4. Detailed product information moved to Bash Vulnerabilities - CVE-2014-7169
2014-September-30 Rev 5. Added additional CVEs to Solaris and Linux matrices

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Security Alert contains 1 new security fix for the Oracle Sun Systems Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-7169
CVE-2014-6271
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278
Solaris Multiple Bash Yes 10.0 Network Low None Complete Complete Complete 8, 9, 10, 11 See Note 1

Notes:

  1. The CVSS score is taken from
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.

Appendix - Oracle Linux and Virtualization

Oracle Linux Executive Summary

This Security Alert contains 1 new security fix for Oracle Linux.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

Oracle Linux Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-7169
CVE-2014-6271
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278
Oracle Linux Multiple Bash Yes 10.0 Network Low None Complete Complete Complete 4, 5, 6, 7 See Note 1

Notes:

  1. The CVSS score is taken from
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.