DX Unified Infrastructure Management

I have not seen any statement from CA on any product regarding the bug revealed yesterday.

Are there plans to issue any statement on this either generally or on a per product basis ?

It's really an OS problem, so i doubt CA will do anything about it, except perhaps emphasize which versions of linux they support. If i'm not mistaken, you can upgrade your bash even on the old versions of RHEL that IM2.0 runs on, so it shouldn't be an issue.

so it is not going to affect a system running on windows but obviously we can get to a bash prompt ?

Technically, bash has been ported to windows, but it's not required (afaik, correct me if i'm wrong) for any of the CA products installed on windows to have a bash prompt. So, if you installed it, you can either upgrade it or uninstall it.

See my eHealth-specific reply at Bash Vulnerability does *not* affect eHealth current revisions.  -Margaret

I believe CA will need to provide guidance in a number of cases where Bash is installed as part of the CA install. For instance when Spectrum is installed on Windows the Bash shell is installed as part of the Spectrum install.

Ah, i was unaware of that. Can you update bash without breaking Spectrum? I guess that's the question CA needs to answer.

We are running Spectrum 9.4 and from a bash shell on Windows, we can see the bug is present.

Hey Everyone,

Thanks for your post.

As indicated, Linux, Solaris, and Mac bash being updated will not affect the Spectrum installation.  Those can be updated accordingly.

However, Windows Cygwin that we ship contains bash - and is vulnerable.

We are working with PM to make sure that our embedded Cygwin install can be updated.

Support is doing some local testing as well to hopefully get some quick fixes out to customers, but we cannot make any guarantees.

Please keep an eye out for new KBs, Tech Tips or community posts from CA Support on this topic.

Thanks!

Matt

Hello, the bash vulnerability currently termed "Shellshock" is OS–based and not specific to any one CA product. Here is what I can say about it so far:

1. CA is aware of the bash-related vulnerabilities and is analyzing its impact.  So far, our team's understanding is that this bash vulnerability will need to be addressed by specific  OS vendors.
2. While each CA product team will need address this for their product revisions and  affected OS’s, this bash vulnerability will likely need to be patched by OS vendors, and not by CA, as we provide patches as needed to CA software, but only for third-party products where contracted to do so.

As always, it is critical to remain up to date on all CA product revisions and patches in order to protect against potential security vulnerabilities.

For more info :
Bug 1141597 – CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

and your OS vendor's vulnerability sites.

Please open a ticket at support.ca.com with your regional product support team, if the OS vendor sites do not provide the information you need.

-Margaret, CA Product Management

Hi,

There should be an advisory put up on the support.ca.com site so everyone knows about this... It would serve everyone better.

Fully agreed.  Right now you log into the Support site, and they still list the Heartbleed Vulnerability as an important message, but still nothing on the Shellshock after it has been known for 5 days.  Even a simple message as "We are aware of this situation and are working hard with OS vendors to help resolve this situtation as quickly as possible" would at least keep us informed.

I believe http://support.ca.com will have an update tomorrow.

For those running a Multi-Port Monitor (MTP) we have released a patch for this as we use a customized version of CentOS

For more information please see the following doc

Shellshock Bug Fix MTP

Hello All,

For Spectrum, as Matt mentioned, we are evaluating the exact impact for Windows Cygwin.
We have a potential solution here that support and some engineering team members are validating.

We should have an update very soon and we will get back with a clear plan of action.

Regards,

Kiran Diwakar

For CAPC, DA, DR, DC (IM 2.0):

We reviewed this issue with engineering and no one could think of a way this would affect us as we only use bash for some of our scripts and startup of the product. We have not tested in-house yet but engineering feels customers can install this now if you don't want to wait for our testing.

The patch can be found here:

https://rhn.redhat.com/errata/RHSA-2014-1306.html

Unfortunately, the problem isn’t just how this vulnerability affects CA products.  When the shell is installed onto a server, the vulnerability will be flagged by scans such as Qualysguard.  We have this problem with the versions of Tomcat shipped with CA products as well.  Our security group won’t accept the “We only use that for this one thing” defense.

I think you are reading it wrong. I don't see it as a defense but as a notification that fixing the vulnerability should not affect these products. So if you want to fix it as soon as possible, you should be able to do so with very low risk of breaking something. If you want guarantees, you have to wait until they test everything.

So for non-linux gurus, the command would be?

yum -y update bash

I'm guessing/asking here. Please don't take this as authoritative. I would assume a reboot is required.

No reboot required to install the bash update.  I installed the fix on our Multi port collector last Friday without reboot.  Post-fix rescans of the MTP showed it was remediated.

Chris

Yes, using yum on linux you can update the bash shell.

yum update bash

For Spectrum things are still being tested and reviewed on Windows.

Matthew Gay

CA Technologies

Principal Support Engineer

Tel:  +1-877-428-6324

Matthew.Gay@ca.com<mailto:Matthew.Gay@ca.com>

<http://www.ca.com/>

See CA Support's statement at CA20141001-01 Security Notice for Bash Shellshock Vulnerability - CA Technologies

I saw that. I couldn't find Spectrum on the affected list nor the unaffected list.

The non-affected list contains the entry ... "CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes from your underlying operating system vendor."

Nothing on either list about Spectrum on Windows.

Though it does list Cygwin as an affected component.

I have 4 Spectrum on Windows and all of them reply "vulnerable" to this simple test when entered in the command prompt.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Whether or not it is "affected" I don't want to see simple exploits succeed (fail?) on machines that are my responsibility..

I do not know why it didn’t make the list, but Spectrum on Windows is affected. The version of bash that is shipped with the Cygwin tools in Spectrum on Windows is vulnerable. We are working directly with RedHat to deliver a resolution to this. Stay tuned for updates from the Product Management team.

Roger Nason

Support Delivery Manager

CA Capacity Management & CA Spectrum

Update from Spectrum Product Management Team

"We are working with RedHat to obtain a patch for the version of Cygwin we use with Windows based Spectrum.  We are working this as a very high priority."

Further updates will be posted as we receive them.

Glenn Shoemake

Spectrum Principal Support Engineer

For the time being any temporary workaround need to be done in Spectrum ?

Statement re Shell Shock Vulnerability:

  1.  With Spectrum 9.x we release Cygwin on Windows, which does contain a vulnerable bash shell.

  2.  Our PM and development teams are working diligently to get our Cygwin implementation updated.

  3.  There are multiple aspects of Cygwin that come into play so it is not an easy update.

  4.  As a work around you could rename or remove the bash.exe file in the $SPECROOT/NT-Tools/SRE/bin directory.

  5.  Please keep checking our community boards for updates.

  6.  Linux and Solaris bash can be updated at OS level and work just fine.  Windows is the only problematic installation.

  7.  CA is working on getting word out to customers on what products may or may not be affected.

Thanks Declan.

We are working very closely with the Cygwin Product Team and are identifying the quickest way to have a solution/patch for this.

We are conscious that we don't break something else in this process too.

Please use the "rename" option that Declan suggested for now, we will get back very soon.

Regards,

Kiran Diwakar

Does anybody know of any updates for this issue?

Got this from support this morning ...

"We have been notified that there will be PTF patches available for all major releases of Spectrum that are currently supported (9.2, 9.3 and 9.4) and these patches can be applied to any hotfix version of the major release. We still do not have an ETA of when the patches will be released"

Many thanks John. Hopefully there will be an ETA soon.

Hello All,

Yes, we notified support.

We have made further progress and the patches are being tested and we should be able to release them in the next couple days. Will keep this group posted.

Thanks for your patience and stay tuned.

Regards,

Kiran Diwakar

Hello Everyone,

The patches have been released.

Please see this post:

Shellshock Vulnerability – CA Spectrum

Thanks,
Matt

Awesome, thanks Matt - so we completed our testing earlier!

Regards,

Kiran Diwakar

Hi Folks

Just out of interest, has anybody noticed any issues after installing the patch? It appears to have resolved the vulnerability on our servers and I have not noticed any problems. I've tested numerous scripts we have to maintain our system and all seems to be OK but I thought I'd reach out to the community to see if anybody had found any problems.

Thanks

Craig.

Hi Craig,

I can, at least, tell you that no customer have reported anything to the CA Support team after upgrading bash.

Hope that helps.

Regards,

Matt

Matthew Gay

CA Technologies

Principal Support Engineer

Tel:  +1-877-428-6324

Matthew.Gay@ca.com<mailto:Matthew.Gay@ca.com>

<http://www.ca.com/>

Thanks Matt. We've updated all of our Spectrum servers now and have not noticed any problems either.