Solaris, linux(tüm linux dağıtımları için) kullanıcılarının aşağıdaki yazıyı okuması ve sistemlerini acilen güncellemesi iyi olur.
http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html
Oracle Security Alert for CVE-2014-7169
Description
This Security Alert addresses CVE-2014-7169 (initially identified as CVE-2014-6271), a publicly disclosed vulnerability affecting GNU Bash. GNU Bash is a popular open source command line shell incorporated into Linux and other widely used operating systems. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to execute arbitrary code on systems that are running affected versions of Bash.Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability.
The fixes that are available for immediate application by customers are listed in the Patch Availability Table. This Security Alert will be updated when fixes are available for additional affected Oracle products without sending additional emails to customers. Customers should check this page for updates.
Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.
Oracle products that are affected and have fixes available
Oracle has determined that the following products are affected by this vulnerability, and fixes for these products are available for immediate application by customers. The patch availability information for these affected products is provided in the table below.Note: Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
Patch Availability Table
| Affected product | Patch Availability and Installation Information |
|---|---|
| Oracle Linux, versions 4, 5, 6, 7 | My Oracle Support Note 1930120.1 |
| Oracle Solaris, versions 8, 9, 10, 11 | My Oracle Support Note 1930090.1 |
Oracle products that are affected and do not have fixes available at this time
Oracle has determined that following Oracle products are vulnerable to CVE-2014-7169 and CVE-2014-6271. Fixes for these products will be distributed as they become available and this Security Alert will be updated to reflect the availability of these fixes in the Patch Availability Table.- Big Data Appliance
- Exadata
- Exalogic
- Oracle Audit Vault and Database Firewall
- Oracle Communications Application Orchestrator - Server Perpetual (version 74M1)
- Oracle Communications Application Session Controller
- Oracle Communications Diameter Intelligence Hub
- Oracle Communications Diameter Signaling Router
- Oracle Communications Diameter Signaling Router - Full Address Resolution
- Oracle Communications EAGLE Application Processor
- Oracle Communications EAGLE Collector Application Processor
- Oracle Communications EAGLE LNP Application Processor
- Oracle Communications Interactive Session Recorder
- Oracle Communications Policy Controller
- Oracle Communications Policy Management
- Oracle Communications Service Broker Engineered System Edition 6.0
- Oracle Communications Session Element Manager
- Oracle Communications Session Report Manager
- Oracle Communications Session Route Manager
- Oracle Communications Subscriber Data Management
- Oracle Communications User Data Repository
- Oracle Communications WebRTC Session Controller
- Oracle Data Appliance
- Oracle Integrated Lights Out Manager
- Oracle Key Vault
- Oracle VM
- Pillar Axiom 600 Storage System 4, 5
- SPARC Supercluster
- Sun ZFS Storage Appliance Kit (AK)
- Tekelec HLR Router
- Tekelec Platform Management & Configuration
- Tekelec Virtual Operating Environment
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of risk matrix [ Oracle Technology Network ]
- CVRF XML version of the risk matrix [ Oracle Technology Network ]
Modification History
| Date | Comments |
|---|---|
| 2014-September-26 | Rev 1. Initial Release |
Appendix - Oracle Sun Systems Products Suite
Oracle Sun Systems Products Suite Executive Summary
This Security Alert contains 1 new security fix for the Oracle Sun Systems Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.Oracle Sun Systems Products Suite Risk Matrix
| CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authen- tication | Confiden- tiality | Integrity | Avail- ability | |||||||
| CVE-2014-7169 | Solaris | Multiple | Bash | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 8, 9, 10, 11 | See Note 1 |
- The CVSS score is taken from
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.
Appendix - Oracle Linux and Virtualization
Oracle Linux Executive Summary
This Security Alert contains 1 new security fix for Oracle Linux. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.Oracle Linux Risk Matrix
| CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authen- tication | Confiden- tiality | Integrity | Avail- ability | |||||||
| CVE-2014-7169 | Oracle Linux | Multiple | Bash | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 4, 5, 6, 7 | See Note 1 |
- The CVSS score is taken from
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.
Yorumlar
Yorum Gönder