Oracle Security Alert for CVE-2014-7169

Oracle Security Alert for CVE-2014-7169

Description

This Security Alert addressesmultiple publicly disclosed vulnerabilities affecting GNU Bash, specifically CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278.GNU Bash is a popular open source command line shell incorporated into Linux and other widely used operating systems. These           vulnerabilities affect multiple Oracle products. These           vulnerabilities may be remotely exploitable without           authentication, i.e. may be exploited over a network without           the need for a username and password. A remote user can           exploit these vulnerabilities to execute arbitrary code on           systems that are running affected versions of Bash.

      

Forthis document, the vulnerabilities listed above                 will be referred to collectively as CVE-2014-7169.         

Oracle is investigating and will provide fixes for           affected products as soon as they have been fully tested and           determined to provide effective mitigation against these           vulnerabilities.

       Due to the severity, public disclosure, and             reports of active exploitation of CVE-2014-7169 and the             related vulnerabilities, Oracle strongly recommends that             customers apply the fixes provided by this Security Alert as             soon as they are released by Oracle.

Affected Products and Versions

      

Please refer to Bash Vulnerabilities - CVE-2014-7169 for a           list of Oracle products and versions that are affected by these           vulnerabilities.That pagewill            be updated when new information becomes available.

Patch Availability

      

Patch availability information related to these vulnerabilities can be found on theBash Vulnerabilities - CVE-2014-7169 page. Note that in some instances, the instructions           on this page or references from this page may include           important steps to take before and after the application of           the relevant patch.

      

Supported Products and Versions

      

Patch availability information is provided only for           product versions that are covered under the Premier Support or           Extended Support phases of theLifetime              Support Policy. We recommend that customers remain on           actively supported versions to ensure that they continue to           receive security fixes from Oracle.

      

Product releases that are not under Premier Support or           Extended Support are not tested for the presence of           the vulnerabilities addressed by this Security Alert. However, it is           likely that earlier versions of affected releases are also           affected by these vulnerabilities.

      

Products in Extended Support

      

Security Alert fixes are available to customers who have           purchased Extended Support under theLifetime              Support Policy. Customers must have a valid Extended           Support service contract to apply Security Alert fixes for           products in the Extended Support Phase.

References

• Oracle Critical Patch Updates and Security   Alerts main page[ Oracle Technology   Network ]
• Oracle Critical Patch Updates and Security   Alerts - Frequently Asked Questions[   CPU FAQ ]
• Risk Matrix definitions[ Risk Matrix Definitions   ]
• Use of Common Vulnerability Scoring System   (CVSS) by Oracle[ Oracle   CVSS Scoring ]
• English text version of risk matrix[ Oracle Technology Network ]
• CVRF XML version of the risk matrix [Oracle Technology Network ]

Modification History

DateComments2014-September-26Rev 1. Initial Release2014-September-27Rev 2. Fixes available for Exalogic2014-September-28Rev 3. Tables modified for products affected with and without fixes2014-September-29Rev 4. Detailed product information moved to Bash Vulnerabilities - CVE-2014-7169

 

Appendix - Oracle Sun Systems Products Suite

             

Oracle Sun Systems Products Suite Executive Summary

This Security Alert contains 1 new security fix for the Oracle Sun Systems Products Suite.   This vulnerability is remotely exploitable without authentication,  i.e.,  may be exploited over a network without the need for a username and password.    The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

            CVE#ComponentProtocolSub-
                         componentRemote Exploit without Auth.?CVSS VERSION 2.0 RISK (seeRisk Matrix Definitions)Supported Versions AffectedNotesBase ScoreAccess VectorAccess ComplexityAuthen-
                         ticationConfiden-
                         tialityIntegrityAvail-
                         abilityCVE-2014-7169SolarisMultipleBashYes10.0NetworkLowNoneCompleteCompleteComplete8,  9,  10,  11See Note 1

Notes:

1. The CVSS score is taken from
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.

 
              

Appendix - Oracle Linux and Virtualization

 

Oracle Linux Executive Summary

This Security Alert contains 1 new security fix for Oracle Linux.   This vulnerability is remotely exploitable without authentication,  i.e.,  may be exploited over a network without the need for a username and password.    The English text form of this Risk Matrix can be found here.

Oracle Linux Risk Matrix

            CVE#ComponentProtocolSub-
                         componentRemote Exploit without Auth.?CVSS VERSION 2.0 RISK (seeRisk Matrix Definitions)Supported Versions AffectedNotesBase ScoreAccess VectorAccess ComplexityAuthen-
                         ticationConfiden-
                         tialityIntegrityAvail-
                         abilityCVE-2014-7169Oracle LinuxMultipleBashYes10.0NetworkLowNoneCompleteCompleteComplete4,  5,  6,  7See Note 1

Notes:

1. The CVSS score is taken from
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.