What versions of PlateSpin Forge are affected by the ShellShock vulnerability

  • Document ID:7015741
  • Creation Date:03-Oct-2014
  • Modified Date:06-Oct-2014
    • Micro Focus Products:
      PlateSpin Forge
      PlateSpin Migrate
      PlateSpin Orchestrate
      PlateSpin Protect

Environment

NetIQ PlateSpin Forge 

Situation

On Sept 24, 2014, a critical vulnerability in Bash (CVE-2014-6271, CVE-2014-7169) was published that may allow for remote code execution. This was followed by more reports on vulnerabilities in Bash, which are identified by CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.

This effects NetIQ PlateSpin Forge installs prior to NetIQ PlateSpin Forge 11.

If the forge unit is running:

vSphere ESXi/ESX Hypervisor
ESXi 4.0, 4.1, 5.0, 5.1, and 5.5 are not affected because these versions use the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.

Resolution

For NetIQ PlateSpin Forge 3.1  or installs running ESX 3.5 please contact support to obtain an upgrade kit.  For NetIQ PlateSpin Forge Appliance Version 2 (e.g. 3.4 or 4.0)  running ESX 4.1, we recommend installing Vmware patch ESX410-201410401-SG.