Avaya Support Forums

Avaya Support Forums (http://support.avaya.com/forums/index.php)
-   IP Telephony and Convergence (http://support.avaya.com/forums/forumdisplay.php?f=8)
-   -   Bash Vulnerability (http://support.avaya.com/forums/showthread.php?t=5187)

alb293 09-25-2014 07:52 AM

Bash Vulnerability
 
http://arstechnica.com/security/2014...ith-nix-in-it/

It looks like a lot of Avaya servers are vulnerable right now, since CentOS and Redhat are affected.

jaytarbox 09-26-2014 09:22 AM

And, Avaya hasn't said a word that I can find yet. I had customers asking about it only a few hours after the news broke.

tkbinpdx 09-26-2014 12:28 PM

Avaya Advisory link for 2014 - nothing posted since 9/23
 
https://support.avaya.com/tools/secu...sory?year=2014

rbrookes 09-26-2014 03:39 PM

Shellshock/Bash impact update for Avaya products
Avaya’s Product Security Team is aware of the Shellshock security issue and is working aggressively with product teams across our portfolio to assess any possible impact and identify a mitigation plan as appropriate. An Avaya Security Advisory (ASA) will be published later today, Friday 26 September at approximately 7pm ET. The Product Security team will continue to report findings as they become available.

Please visit the following link on the Avaya Support Website for the latest information on this topic. All ASAs for Shellshock will be posted to this site.

Avaya Support Website – Shellshock/Bash Impact for Avaya Products - https://support.avaya.com/helpcenter...26131554370002

darrenspain 09-29-2014 08:08 AM

hi
are avaya telling the customers to wait until they have included updates in patchs / security updates or are avaya telling customers to go ahead and use the updates from the RedHat site ?

I have read the bulletin from Avaya but it is not clear to me what is the recommended course of action ?

Thanks
Darren

jaytarbox 09-30-2014 08:15 AM

You should wait, most of the products you wouldn't have the rights to install the needed patch anyway.

aa1 09-30-2014 09:42 AM

Asa-2014-369
 
Take a look at this:

https://downloads.avaya.com/css/P8/documents/100183009

Arbi

jlm 10-01-2014 12:03 PM

Does anyone happen to know if this affects IP phones, and in particular the 9600 series (9608, 9611, etc.) that run a linux kernel?

I don't see this addressed on the Avaya shellshock info.

Regards,

- Joe

richa164 10-02-2014 05:12 AM

Run this test from linux shell.







env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get

Vulnerable
This is a test

Well guess what !!

audetd 10-02-2014 10:45 AM

Quote:

Originally Posted by richa164 (Post 12451)
Run this test from linux shell.







env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get

Vulnerable
This is a test

Well guess what !!



and now just checking my LAB's

Here is the result for the Communication Manager
dadmin@CM-LAB> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Result for my DOM0
[admin@CM2-SPDom0 ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[admin@CM2-SPDom0 ~]$

Result for my CDOM0
[admin@CM2-SPCdom ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[admin@CM2-SPCdom ~]$


So that mean i am Vulnerable.

is there an offcial procedure from Avaya to find out.

Daniel


All times are GMT -7. The time now is 07:48 AM.