Menu
Cisco, Oracle find dozens of their products affected by Shellshock

Cisco, Oracle find dozens of their products affected by Shellshock

Cisco has identified 71 products vulnerable to Shellshock and Oracle 51, but the number is likely to increase

Cisco Systems and Oracle are hard at work identifying networking and other products in their portfolios that are affected by the critical Shellshock vulnerability.

The Shellshock vulnerability and several related ones found over the past week stem from errors in how the Bash command-line interpreter for Unix and Linux systems parses strings passed to it by external scripts. The flaws allow attackers to trick certain processes running on vulnerable machines to pass malicious strings to Bash that would then get executed as commands on the underlying OS.

Security researcher Rob Fuller has put together a collection of Shellshock proof-of-concept exploits gathered from various sources. The most well-known attack vectors are through Web servers that run CGI scripts and through SSH (Secure Shell) daemons, although other applications that interact with Bash are also potential targets.

Cisco has identified 71 products so far that are exposed to the vulnerability. These products serve various purposes, including network application, service and acceleration; network content and security; network management and provisioning; routing and switching; unified computing; voice and unified communications; video, streaming, TelePresence and transcoding.

The number of Cisco products vulnerable to Shellshock and related bugs far exceeds the 38 confirmed not to be vulnerable. The company is reviewing an additional 168 products and hosted services, so the list of vulnerable products is likely to increase.

"The impact of this vulnerability on Cisco products may vary depending on the affected product because some attack vectors such as SSH, require successful authentication to be exploited and may not result in any additional privileges granted to the user," Cisco said in its advisory.

Oracle is also in the process of identifying which of its products are vulnerable. So far the company has released Shellshock patches for nine products: Oracle Database Appliance 12.1.2 and 2.X; Oracle Exadata Storage Server Software; Oracle Exalogic; Oracle Exalytics; Oracle Linux 4, 5, 6 and 7; Oracle Solaris Operating System 8, 9, 10 and 11; Oracle SuperCluster; Oracle Virtual Compute Appliance Software and Oracle VM 2.2, 3.2 and 3.3.

An additional 42 products use Bash in at least one of their versions and are likely to be vulnerable to Shellshock, Oracle has found. No patches are currently available for those products. Four other products are currently being investigated to determine if they're using vulnerable Bash versions.

"Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle," the company said in its advisory.

Other vendors with products built on top of Linux, whether those are hardware appliances, SCADA platforms, specialized servers or embedded devices, are likely to release Shellshock patches in the near future.

The overall impact of the Shellshock vulnerability and the related Bash bugs is hard to quantify given the ubiquitous nature of this basic component in the Unix and Linux world and the fact that all Bash versions going back to 1993 are likely vulnerable. The multiple attack vectors only add to the complexity of determining which systems are at risk.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesCisco Systemssecuritypatch managementExploits / vulnerabilitiesOracle

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments