The purpose of this document is to list Oracle products that include the Bash program in their distribution, either directly or via inclusion of a component that includes Bash, and to document their current status with respect to the publicly disclosed vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278. For this document, these vulnerabilities will be referred to collectively as CVE-2014-7169.
Specifically, this document will list: (1) Oracle products that are likely vulnerable to CVE-2014-7169 and have fixes available from Oracle, (2) Oracle products that are likely vulnerable to CVE-2014-7169 but for which no fixes are currently available, (3) Oracle products that do not include Bash in their distribution, (4) Oracle products still under investigation, which may be vulnerable to CVE-2014-7169, and (5) Status for Oracle Cloud.
Oracle has assessed the impact of vulnerability CVE-2014-7169 only against product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle. When product versions for a given product are not specifically listed in this document, it implies all those versions for that product which are currently supported by Oracle.
Vulnerabilities affecting Bash were publicly disclosed. The Oracle Global Product Security and Development teams are investigating the inclusion of Bash in Oracle products and will provide mitigation instructions when available for these affected Oracle products. For additional details, see the Oracle Security Alert for CVE-2014-7169.
Below is the list of affected products and mitigation instructions as of April 08, 2015 at 05:15 PM Pacific.
Global Product Security has determined that the following 53 Oracle products have included in their distributions Bash versions that have been reported as vulnerable to CVE-2014-7169. Oracle has issued fixes for these products per the table below. Refer to the individual Patch Availability Documents for information regarding the specific CVEs addressed.
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
|Patch Availability Table|
|Affected Products||Patch Availability|
|Brocade Fiber Channel Switches and Management [Product ID 9864]||MOS note 1938542.1|
|Cisco MDS Fiber Channel Switches and Management [Product ID 9865]||MOS note 1950697.1|
|Exadata Storage Server [Product ID 2546]||MOS note 1938719.1|
|Exalogic [Product ID 9415]||MOS note 1929881.1|
|Oracle Audit Vault and Database Firewall [Product ID 9749]||MOS note 1931021.1|
|Oracle Big Data Appliance [Product ID 9734]||MOS note 1930758.1|
|Oracle CloudNet Gateway [Product ID 11158]||MOS note 1932955.1|
|Oracle Communications Application Orchestrator [Product ID 11189]||MOS note 1938778.1|
|Oracle Communications Application Session Controller [Product ID 10769]||MOS note 1938391.1|
|Oracle Communications Diameter Intelligence Hub [Product ID 11126]||MOS note 1938466.1|
|Oracle Communications Diameter Signaling Router [Product ID 10899]||MOS note 1938466.1|
|Oracle Communications EAGLE Application Processor [Product ID 11122]||MOS note 1938747.1|
|Oracle Communications Eagle LNP Provision System [Product ID 11118]||MOS note 1938315.1|
|Oracle Communications Enterprise Trunk Manager [Product ID 10760]||MOS note 1938778.1|
|Oracle Communications Interactive Session Recorder [Product ID 10765]||MOS note 1938846.1|
|Oracle Communications Local Service Management System [Product ID 11114]||MOS note 1937477.1|
|Oracle Communications Performance Intelligence Center Software [Product ID 11044]||MOS note 1937383.1|
|Oracle Communications Policy Management [Product ID 10900]||MOS note 1940612.1|
|Oracle Communications Service Broker Engineered System [Product ID 9056]||MOS note 1931058.1|
|Oracle Communications Session Element Manager [Product ID 11052]||MOS note 1938778.1|
|Oracle Communications Session Monitor [Product ID 10761]||MOS note 1932068.1|
|Oracle Communications Session Report Manager [Product ID 10770]||MOS note 1938778.1|
|Oracle Communications Session Route Manager [Product ID 10771]||MOS note 1938778.1|
|Oracle Communications Subscriber Data Management [Product ID 10901]||MOS note 1939971.1|
|Oracle Communications WebRTC Session Controller [Product ID 10811]||MOS note 1938391.1|
|Oracle Database Appliance 12.1.2, 2.X [Product ID 9435]||MOS note 888888.1|
|Oracle Database Firewall [Product ID 8958]||MOS note 1931004.1|
|Oracle E-Business Suite [Product ID 1745]||MOS note 1934250.1|
|Oracle Exalytics [Product ID 9736]||MOS note 1930588.1|
|Oracle Fabric Interconnect [Product ID 10529]||MOS note 1935857.1|
|Oracle Fusion Applications Lifecycle Management Tools - Provisioning [Product ID 5643]||MOS note 1942282.1|
|Oracle Integrated Lights Out Manager and dependent products (including SPARC, Sun Blade, and Intel Xeon systems/servers) [Product ID 9849]||MOS note 1938100.1|
|Oracle Key Manager 3 [Product ID 10052]||MOS note 1996960.1|
|Oracle Key Vault [Product ID 10221]||MOS note 1931880.1|
|Oracle Linux 4, 5, 6, 7 [Product ID 1309]||MOS note 1930120.1|
|Oracle Solaris Operating System 8, 9, 10,11 [Product ID 10006]||MOS note 1930090.1|
|Oracle SuperCluster [Product ID 10011]||MOS note 1930608.1|
|Oracle Switch ES1-24 [Product ID 9889]||MOS note 1940232.1|
|Oracle VM 2.2, 3.0, 3.1, 3.2, 3.3 [Product ID 4455]||MOS note 1929782.1|
|PeopleSoft Enterprise PeopleTools [Product ID 5085]||MOS note 1930515.1|
|Pillar Axiom 600 Storage System 4, 5 [Product ID 9504]||MOS note 1942744.1|
|Pillar Axiom Replication Engine [Product ID 9590]||MOS note 1951372.1|
|SPARC - OPL Service Processor (XCP) (SP software for SPARC M10-1/M10-4/M10-4S servers) [Product ID 10656]||MOS note 1934739.1|
|SPARC M-Series XCP Firmware (SP software for SPARC M3000/M4000/M5000/M8000/M9000 servers) [Product ID 9845]||MOS note 1940692.1|
|Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889]||MOS note 1940232.1|
|Sun Data Center InfiniBand Switch 36 (NM2-36P) [Product ID 9886]||MOS note 1938451.1|
|Sun Network 10GE Switch 72p [Product ID 9889]||MOS note 1940232.1|
|Sun Network QDR InfiniBand Gateway Switch (NM2-GW) [Product ID 9885]||MOS note 1938457.1|
|Sun ZFS Storage Appliance Kit [Product ID 10026]||MOS note 1941524.1|
|Tape Virtual - Virtual Library Extension [Product ID 10116]||MOS note 1940299.1|
|Tape Virtual VSM6 - Virtual Tape SubSystem (VSM4 and VSM5 do not include Bash) [Product ID 10117]||MOS note 1953487.1|
|Tekelec HLR Router [Product ID 11047]||MOS note 1940005.1|
|Virtual Compute Appliance [Product ID 10635]||MOS note 1930502.1|
No products remain in this category.
Global Product Security has determined that the following 199 Oracle products do not include Bash in their initial distribution (i.e., “out of the box”) and should therefore not be subject to CVE-2014-7169. No further action is therefore expected for these products. Note that the surrounding technical environment deployed around these products should be checked for the presence of other components that may include Bash and therefore be affected by this vulnerability.
Global Product Security is not investigating any additional products for inclusion of Bash to determine if they might be subject to CVE-2014-7169.
Oracle is aware of vulnerability CVE-2014-7169 (and all related Bash vulnerabilities which have been publicly disclosed). Oracle is investigating these issues and continues to provide fixes for affected products and services as soon as these fixes have been fully tested and determined to provide effective mitigation.
Oracle Cloud teams are currently implementing relevant patches when they become available and in accordance with applicable change management processes.
For More Information: