Does CVE-2014-6271, known as shellshock, affect JBoss products?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.x
    • 5.x
  • JBoss Business Rules Managment System (BRMS)
    • 5.x
    • 6.x
  • JBoss Portal Platform (EPP)
    • 5.x
    • 6.x
  • JBoss SOA Platform (SOA)
    • 5.x
    • 6.x
  • JBoss Web Server (EWS)
    • 1.x
    • 2.x
  • JBoss Fuse
    • 6.x

Issue

  • Does CVE-2014-6271, known as shellshock, affect JBoss products?
  • Is there a patch available (or needed) to remediate this vulnerability on JBoss products?
  • Do JBoss products use or require any CGI scripting?

Resolution

  • JBoss products do not include the Bash package, and are not affected by this issue
  • JBoss products do not require or provide any CGI interface
  • If you are running a JBoss product on Red Hat Enterprise Linux, you should follow the guidance in this article. It recommends upgrading bash on your Red Hat Enterprise Linux system.
  • JBoss products would only expose an attack vector for this issue if you were calling RuntimeExec from the JDK API in your application, or running a custom servlet which can execute CGI scripts. Both of these are not recommended, or shipped as part of the JBoss Middleware software portfolio.
  • JBoss Fuse utilizes Apache Mina to provide SSH connection to access to the remote containers and is not affected by this issue.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments