For all of us at Novell, the security of your data is of the utmost importance. Security researchers have discovered the following new software vulnerabilities that could affect Novell’s products and customers.
What is the ShellShock vulnerability and how do I know it exists on my systems?
A new vulnerability has been found that potentially affects Linux, UNIX and Mac OSX operating systems. Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, and CVE-2014-6278) could allow attackers to gain control over a targeted computer if exploited successfully, giving them access to your data and networks.
The vulnerability leverages the Bash shell, a command language interpreter used to run commands passed to it by applications. An attacker can attach malicious code to environment variables that affect the way processes are run on a computer.
If you are using Novell products that use versions of Bash (including operating systems based on SUSE Linux Enterprise 9, 10 or 11) your servers are potentially at risk. If your systems are compromised, we recommend that you patch them right away.
Is a patch available for me if I have current subscriptions and am running the most current version of my product? What if I’m running earlier versions and have a maintenance contract?
Yes and yes. You can access patches that close this vulnerability if you are a current customer with a maintenance contract.
What if I’m a current customer but I’m using older operating systems for some of my servers without a support/maintenance contract for those older versions… Can I still get the patches?
Yes, for SLES. Patches for the affected Novell products are available only to customers with a current Novell maintenance contract. For customers who are running their Novell products on SLES, and not via Virtual Appliance Deployment, patches are available for SLES via the SUSE channels described here: https://www.suse.com/support/kb/doc.php?id=7015702.
What does the patch address or not address? Do I need to do anything else after applying the patch to make sure I’m no longer vulnerable?
Applying the product-specific patches eliminates the ability to append the Bash environmental variables with malicious code. After applying the patches, there are no additional tasks required to ensure you are no longer vulnerable to Shellshock.
Which Novell solutions are affected, and how do I obtain a patch?
- Novell ZENworks – virtual appliance deployment option – Patch download instructions
- Novell Service Desk – virtual appliance deployment option – Patch download instructions
- Novell Filr – Patch download instructions
- Novell iPrint Appliance – Patch download instructions
- Novell Open Enterprise Server – Patch download instructions
- Novell GroupWise, if using with SLES entitlement – Patch download instructions
Novell will continue to offer a rapid response to known security issues that impact our products and will notify you of any new issues or vulnerabilities.