Avaya Support Forums  

Go Back   Avaya Support Forums > IP Telephony and Convergence

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 09-25-2014, 07:52 AM
alb293 alb293 is offline
Hot Shot
 
Join Date: Jul 2011
Posts: 13
alb293 has 10 reputation points
Exclamation Bash Vulnerability

http://arstechnica.com/security/2014...ith-nix-in-it/

It looks like a lot of Avaya servers are vulnerable right now, since CentOS and Redhat are affected.
Reply With Quote
  #2  
Old 09-26-2014, 09:22 AM
jaytarbox jaytarbox is offline
Whiz
 
Join Date: Apr 2010
Posts: 30
jaytarbox has 10 reputation points
Default

And, Avaya hasn't said a word that I can find yet. I had customers asking about it only a few hours after the news broke.

Last edited by jaytarbox; 09-26-2014 at 09:28 AM.
Reply With Quote
  #3  
Old 09-26-2014, 12:28 PM
tkbinpdx tkbinpdx is offline
Member
 
Join Date: Sep 2014
Posts: 3
tkbinpdx has 10 reputation points
Default Avaya Advisory link for 2014 - nothing posted since 9/23

https://support.avaya.com/tools/secu...sory?year=2014
Reply With Quote
  #4  
Old 09-26-2014, 03:39 PM
rbrookes's Avatar
rbrookes rbrookes is offline
Guru
.
 
Join Date: Jan 2012
Location: rbrookes@avaya.com
Posts: 141
rbrookes has 10 reputation points
Default

Shellshock/Bash impact update for Avaya products
Avaya’s Product Security Team is aware of the Shellshock security issue and is working aggressively with product teams across our portfolio to assess any possible impact and identify a mitigation plan as appropriate. An Avaya Security Advisory (ASA) will be published later today, Friday 26 September at approximately 7pm ET. The Product Security team will continue to report findings as they become available.

Please visit the following link on the Avaya Support Website for the latest information on this topic. All ASAs for Shellshock will be posted to this site.

Avaya Support Website – Shellshock/Bash Impact for Avaya Products - https://support.avaya.com/helpcenter...26131554370002
__________________
Russ Brookes | Avaya, KCS Leader | +1 613.771.7590 | rbrookes@avaya.com | NA Eastern Time Zone
Reply With Quote
  #5  
Old 09-29-2014, 08:08 AM
darrenspain darrenspain is offline
Member
 
Join Date: Oct 2011
Posts: 4
darrenspain has 10 reputation points
Default

hi
are avaya telling the customers to wait until they have included updates in patchs / security updates or are avaya telling customers to go ahead and use the updates from the RedHat site ?

I have read the bulletin from Avaya but it is not clear to me what is the recommended course of action ?

Thanks
Darren
Reply With Quote
  #6  
Old 09-30-2014, 08:15 AM
jaytarbox jaytarbox is offline
Whiz
 
Join Date: Apr 2010
Posts: 30
jaytarbox has 10 reputation points
Default

You should wait, most of the products you wouldn't have the rights to install the needed patch anyway.
Reply With Quote
  #7  
Old 09-30-2014, 09:42 AM
aa1 aa1 is offline
Guru
.
 
Join Date: Feb 2010
Location: Budapest - Hungary
Posts: 185
aa1 has 24 reputation pointsaa1 has 24 reputation points
Default Asa-2014-369

Take a look at this:

https://downloads.avaya.com/css/P8/documents/100183009

Arbi
Reply With Quote
  #8  
Old 10-01-2014, 12:03 PM
jlm jlm is offline
Aspiring Member
 
Join Date: Oct 2014
Posts: 1
jlm has 10 reputation points
Default

Does anyone happen to know if this affects IP phones, and in particular the 9600 series (9608, 9611, etc.) that run a linux kernel?

I don't see this addressed on the Avaya shellshock info.

Regards,

- Joe
Reply With Quote
  #9  
Old 10-02-2014, 05:12 AM
richa164 richa164 is offline
Guru
 
Join Date: Oct 2013
Posts: 131
richa164 has 23 reputation pointsricha164 has 23 reputation points
Default

Run this test from linux shell.







env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get

Vulnerable
This is a test

Well guess what !!
Reply With Quote
  #10  
Old 10-02-2014, 10:45 AM
audetd's Avatar
audetd audetd is offline
Member
 
Join Date: Jun 2010
Location: Montreal,QC. Canada
Posts: 7
audetd has 10 reputation points
Default

Quote:
Originally Posted by richa164 View Post
Run this test from linux shell.







env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get

Vulnerable
This is a test

Well guess what !!


and now just checking my LAB's

Here is the result for the Communication Manager
dadmin@CM-LAB> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Result for my DOM0
[admin@CM2-SPDom0 ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[admin@CM2-SPDom0 ~]$

Result for my CDOM0
[admin@CM2-SPCdom ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[admin@CM2-SPCdom ~]$


So that mean i am Vulnerable.

is there an offcial procedure from Avaya to find out.

Daniel
__________________
_____________________________
Daniel
Allstream Application Specialist

Last edited by audetd; 10-02-2014 at 01:27 PM.
Reply With Quote
Reply

Tags
bugs, linux, security, security advisories, vulnerability

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 08:12 PM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.