- How do I avoid impact to a Red Hat Enterprise Linux system from CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278?
- How do I know if a Red Hat Enterprise Linux system is vulnerable to CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278?
- How do I download and upgrade to the latest version of Bash to make sure my system is not vulnerable to CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278?
Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) in Red Hat Enterprise Linux
Updated 2014-09-30T19:38:49+00:00
Issue
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 4 (ELS)
Resolution
These issues affect all software that uses the Bash shell and parses values of environment variables. These issues are especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, these issues are quite serious and should be treated as such.
In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least the following versions of Bash:
RHSA-2014:1293
- Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.2
- Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1
- Red Hat Enterprise Linux 5 - bash-3.2-33.el5.1
RHSA-2014:1294
- Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
- Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.1
- Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.2
- Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.1
- Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.1
RHSA-2014:1295
- SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.1
- SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.1
In order to avoid exploitation from CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278, ensure that your system is updated to at least the following versions of Bash, which also includes the prior fixes:
RHSA-2014:1306
- Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.4
- Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.2
- Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.4
RHSA-2014:1311
- Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.4
- Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.2
- Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.3
- Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.2
- Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.2
RHSA-2014:1312
- SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.2
- SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.2
In order to update to the most recent version of the Bash package run the following command:
# yum update bash
Specify the package name in order to update to a particular version of Bash. For example, to update a Red Hat Enterprise Linux 6.5 system run:
# yum update bash-4.1.2-15.el6_5.2
Root Cause
-
A flaw was found in the bash functionality that evaluates specially formatted environment variables passed to it from another environment.
An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. -
For more information about this vulnerability, refer to the following article:
Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Diagnostic Steps
- To determine if a system is affected by this vulnerability, review the version of Bash:
# rpm -qa bash
Comments
Why does this say to run ldconfig? The bash rpm doesn't even include any libs...
Does it need a system reboot to get update ??
if update the patch will resolve all bash related issues?
what about the patch of CVE-2014-7169?
Updated bash packages that address CVE-2014-7169 are now available for Red Hat Enterprise Linux 5, 6, and 7. Please check https://access.redhat.com/security/cve/CVE-2014-7169. This article will be updated shortly.
Red Hat is working on updates for Shift_JIS, Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support
Quick tests to verify new patch is working as intended:
Before patching:
[userid@oc000000000 ~]$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff
After patching
[userid@oc000000000 ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
stuff
Hello! bash perform this upgrade may cause some impact on the environment? It is totally safe to run it?
Thank you!
It is strongly recommended that you update bash at this point. The only changed in the recent package updates are related to the security vulnerabilities. In an extremely rare instance that a problems occurs, you can use "yum downgrade bash" to revert to an old version.
where is the link to download the patch for rhel 6
I am searching for package bash-4.2.45-5.el7_0.4 for RHEL7 but cannot find it on the package search on this website. How can I find this package or whatever the latest secure package for RHEL7?
Is this out for RHEL 4EL yet? I'm only seeing bash-3.0-27.el4 not bash-3.0-27.el4.4.
The bash update is available for RHEL 4. It is provided through our ELS subscription.
What is Red Hat Enterprise Linux Extended Life Cycle Support (ELS), and what is its support life cycle?
https://access.redhat.com/solutions/690063
How to add Extended Life Cycle Support (ELS) channel to Red Hat Enterprise Linux 4 System in RHN?
https://access.redhat.com/solutions/115353
If you need additional assistance, please open a support case.
Is a reboot required?
Do I need to reboot or restart services after installing this update?
No, a reboot of your system or any of your services is not required. This vulnerability is in the initial import of the process environment from the kernel. This only happens when Bash is started. After the update that fixes this issue is installed, such new processes will use the new code, and will not be vulnerable. Conversely, old processes will not be started again, so the vulnerability does not materialize. If you have a strong reason to suspect that a system was compromised by this vulnerability then a system reboot should be performed after the update is installed as a best security practice and security checks should be analyzed for suspicious activity.
for redhat 5, can we just upgrade bash directly to bash-3.2-33.el5_11.4? or must to bash-3.2-33.el5.1 and then to bash-3.2-33.el5_11.4?
You should be fine going straight to the last one. I have tested on multiple RHEL5 systems and had no issues.
You can upgrade directly to the latest version, just run "yum update bash" and it will install the latest version that it has available in the repository you are connected to. If you don't get that version, you will need to update your repository to get it or download it directly and run "yum localupdate </path/to/updated-bash-rpm>".
I still have some older systems such as RH 7.1 (non-enterprise edition). Can I expect a patch for these types of systems or do I need to remove it from the network? Any other suggestions for these older non supported OSes?
Hello,
You can follow the mitigation steps mentioned in the following article
https://access.redhat.com/articles/1212303
Hi, we don't have connection to yum repository. Is it ok to apply the patch through "rpm -Uvh rpmfile" command. Please see sample command below. Much appreciated for your immediate response.
For RHEL 5.x:
rpm -Uvh bash-3.2-33.el5_11.4.x86_64.rpm
rpm -Uvh bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm
For RHEL 6.x:
rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-debuginfo-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
This would work, although in RHEL 6, yum gets touchy when you use rpm directly. I would recommend using "yum localupdate
". I wouldn't install the debuginfo packages unless you have a specific need for it, they are not required. To use your example though, on RHEL 5 I would use "yum localupdate bash-3.2-33.el5_11.4.x86_64.rpm bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm" and on RHEL 6, I would use "yum localupdate bash-4.1.2-15.el6_5.2.x86_64.rpm bash-debuginfo-4.1.2-15.el6_5.2.x86_64.rpm bash-doc-4.1.2-15.el6_5.2.x86_64.rpm"
Hi Barry, Thanks a lot for your immediate response. Have a blessed day to you.
I can not find any package about bash-3.0-27.el4,bash-3.0-27.el4.2 or bash-3.0-27.el4.4 in RHSA-2014:1294 and RHSA-2014:1311
the "updated packages" page in RHSA-2014:1311 is totaly empty.
where can i find these packages?
For accessing the RHEL4 security errata, you need to have Red Hat Enterprise Linux Extended Life Cycle Support subscription. If you do not have ELS, then please contact Red Hat Technical Support for further assistance
Can anybody post direct download url for CVE-2014-7169 please?
You can download the package from the customer portal
Instruction for downloading the RHEL6 fix from the portal ie bash-4.1.2-15.el6_5.2
1- https://access.redhat.com/downloads/
2- select Red Hat Enterprise Linux
3- Choose the version as 6.5 in the dropdown
4- hit packages tab and enter bash in the filter section
5- Choose bash listed under server rpms
6- Download the package
Similarly you can download packages for other variants.
If you need assistance, you can contact Red Hat Technical Support
Querry : #bash -version still showing old version of bash , although it is showing upgraded version installed in #rpm -qa | grep bash
That's normal. Red Hat usually backports the fix to the existing version. bash -version will not show any difference in the output post update.
I can't find bash-3.0-27.el4.4_x86_64.rpm,where can I find?
BTW: bash-3.0-27.el4 is what I can find, which doesn't fix the problem.
Please refer to Ranjith's comment above.
Thanks!
Yonggong, to obtain bash-3.0-27.el4.4_x86_64.rpm my understanding is that you must have RHEL v4 Extended Lifecycle Support (ELS). If you have that open a ticket w/Redhat and they will provide you the link.
Can bash-3.2-33.el5_11.4.x86_64.rpm be applied all RHEL 5.X? I am specifically concerned with one old machine we have setup with 5.3. "yum update bash" indicates "No Packages marked for Update". The machine is currently running bash-3.2-24.el5.
Can I do?
yum update bash-3.2-33.el5_11.4
Thanks,
Yes you can apply the latest package directly. If the system is registered to RHN and yum update is not pulling the latest package, then try to execute the command yum clean all and then try yum update. If yum clean all does not resolve the issue, then contact Red Hat Technical support for further assistance
Thanks ...
I did a:
yum clean metadata
yum update bash
and was able to be bash updated.
for redhat 6, can i upgrade bash directly to bash-4.1.2-15.el6_5.2 ? do i have to upgrade to bash-4.1.2-15.el6_5.1 first ?
You can directly update to bash-4.1.2-15.el6_5.2
Larry,
You can upgrade directly. There is no need to upgrade to interim versions. Assuming that you are connected to an RHN Satellite server or RHN Hosted, you can upgrade to the latest version of bash by typing "yum update -y bash".
Travis,
Although you should upgrade your entire system with "yum update" my recommendation is to talk with Red Hat about it. You could also review the changelog and see if there appear to be any major changes between the version of bash that you have running now and the most recent.
After upgrading bash version to bash-3.2-33.el5_11.4, i tried verification method as suggested in above comments. Below result i got, so is it fine.
BEFORE PATCH :
[root@HOSTNAME ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff
AFTER PATCH :
[root@HOSTNAME ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
We have issue with our application after upgrade, any way to downgrade back to the original? Our server is RH EL6.
If you used "yum update -y bash" then "yum downgrade -y bash" should work.
Just be careful about the "-y" flag so that you are certain of what version of bash that you will downgrade to prior to doing it on a production system. Otherwise, this will be fine.
My server does not have internet connection. How can I use rpm to downgrade?
su root# rpm -Uvh --oldpackage <package-name>IE:
# rpm -Uvh --oldpackage bash-3.2-21.el5.x85_64.rpmOr whatever package version that you need to downgrade to.
Note:
It is strongly recommended that you take all possible actions to allow your system to use the newest bash.
I use rpm to upgrade by command:
rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
We have issue with our application after upgrade, any way to downgrade back to the original?
rpm -Uvh --oldpackage whatever.rpm
What about CVE-2014-6277, CVE-2014-6278, CVE-2014-7186 and CVE-2014-7187 now?
We are working on updating this information. We will post as soon as possible.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7187
Please read comment 4 of the bug:
"Statement:
Red Hat Product Security does not consider this bug to have any security impact on the bash packages shipped in Red Hat Enterprise Linux. A fix for this issue was applied as a hardening in RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312."
I only see Itanium packages available for RHEL5 fully patched. What is the recommendation for Itanium based systems in other RHEL version such as 4,6,7 ? Specifically I am interested in 64 bit.
I thought security patches did not require a subscription.
Has this changed?
Hi
I have a ppc architecture..so I need the link to download the right bash update for my server. These are the system specs
[root@linuxc01 etc]# rpm -qa|grep bash
bash-4.1.2-15.el6_4.ppc64
[root@linuxc01 etc]# uname -a
Linux linuxc01 2.6.32-431.17.1.el6.ppc64 #1 SMP Fri Apr 11 17:30:35 EDT 2014 ppc64 ppc64 ppc64 GNU/Linux
Please send the link
Thanks
If you have a current RHN subscription, and this computer is listed as part of that subscription, you should be able to simply run "yum update bash" and be done (other than a reboot, just to be sure.)
If you are not current, it will complain. If not subscribed, it will complain.
You could also login to support.redhat.com, go to the downloads tab, and find the ppc builds there, again, should you be a subscriber.
Hi All, first, thanks to Barry Brimer advised last Monday. We managed to patch our bash in our RHEL 5.x 64bit and RHEL 6.x 64bit Linux/UNIX Infra. The script I have downloaded from https://github.com/hannob/bashcheck/blob/master/bashcheck, have verified that the 3 major CVEs had resolved the bugs. CVE-2014-6271: Original Shellshock; permit remote code execution; CVE-2014-7169: Additional CVE introduced due to incomplete fix for original Shellshock; CVE-2014-7186: Redir_stack off-by-one bug; can cause a crash. Please see details below.
[alberto@rhl5 ~]$ sh bashcheck.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
[alberto@rhel6 ~]$ sh bashcheck.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
Moreover, is there a script or tool provided by RedHat Team that could validate/verify that the bug fix provided had resolved the 6 CVEs below? I'm happy to volunteer as a tester.
CVE-2014-6271: Original Shellshock; permit remote code execution
CVE-2014-7169: Additional CVE introduced due to incomplete fix for original Shellshock
CVE-2014-7186: Redir_stack off-by-one bug; can cause a crash
CVE-2014-7187: Nested loops off-by-one issue with unknown impact
CVE-2014-6277: Variable function parser bug; permit remote code execution
CVE-2014-6278: Undisclosed bug; permit remote code execution