Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) in Red Hat Enterprise Linux
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 4
Issue
- How do I avoid impact to a Red Hat Enterprise Linux system from CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278?
- How do I know if a Red Hat Enterprise Linux system is vulnerable to CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278?
- How do I download and upgrade to the latest version of Bash to make sure my system is not vulnerable to CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278?
Resolution
These issues affect all software that uses the Bash shell and parses values of environment variables. These issues are especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, these issues are quite serious and should be treated as such.
In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least the following versions of Bash:
RHSA-2014:1293
- Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.2
- Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1
- Red Hat Enterprise Linux 5 - bash-3.2-33.el5.1
RHSA-2014:1294
- Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
- Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.1
- Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.2
- Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.1
- Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.1
RHSA-2014:1295
- SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.1
- SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.1
In order to avoid exploitation from CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278, ensure that your system is updated to at least the following versions of Bash, which also includes the prior fixes:
RHSA-2014:1306
- Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.4
- Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.2
- Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.4
RHSA-2014:1311
- Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.4
- Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.2
- Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.3
- Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.2
- Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.2
RHSA-2014:1312
- SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.2
- SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.2
NOTE: Some additional information regarding customers who have RHEL 4 Standard or Premium Entitlements, but not ELS, is available at https://access.redhat.com/discussions/1211573
In order to update to the most recent version of the Bash package run the following command:
# yum update bash
Specify the package name in order to update to a particular version of Bash. For example, to update a Red Hat Enterprise Linux 6.5 system run:
# yum update bash-4.1.2-15.el6_5.2
Root Cause
-
A flaw was found in the bash functionality that evaluates specially formatted environment variables passed to it from another environment. This flaw is referred to as "Shellshock".
An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. -
For more information about this vulnerability, refer to the following article:
Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Diagnostic Steps
- To determine if a system is affected by this vulnerability, review the version of Bash:
# rpm -qa bash
This solution has been reviewed for technical accuracy, optimized for search, and integrated with Product Documentation and/or Red Hat Access Labs. Much like when a software package is accepted upstream, this content has moved from the general KCS editing workflow into the responsibility of Customer Content Services as maintainers.
71 Comments
Why does this say to run ldconfig? The bash rpm doesn't even include any libs...
Does it need a system reboot to get update ??
if update the patch will resolve all bash related issues?
what about the patch of CVE-2014-7169?
Updated bash packages that address CVE-2014-7169 are now available for Red Hat Enterprise Linux 5, 6, and 7. Please check https://access.redhat.com/security/cve/CVE-2014-7169. This article will be updated shortly.
Red Hat is working on updates for Shift_JIS, Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support
Quick tests to verify new patch is working as intended:
Before patching:
[userid@oc000000000 ~]$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff
After patching
[userid@oc000000000 ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
stuff
Hello! bash perform this upgrade may cause some impact on the environment? It is totally safe to run it?
Thank you!
It is strongly recommended that you update bash at this point. The only changed in the recent package updates are related to the security vulnerabilities. In an extremely rare instance that a problems occurs, you can use "yum downgrade bash" to revert to an old version.
where is the link to download the patch for rhel 6
I am searching for package bash-4.2.45-5.el7_0.4 for RHEL7 but cannot find it on the package search on this website. How can I find this package or whatever the latest secure package for RHEL7?
Is this out for RHEL 4EL yet? I'm only seeing bash-3.0-27.el4 not bash-3.0-27.el4.4.
The bash update is available for RHEL 4. It is provided through our ELS subscription.
What is Red Hat Enterprise Linux Extended Life Cycle Support (ELS), and what is its support life cycle?
https://access.redhat.com/solutions/690063
How to add Extended Life Cycle Support (ELS) channel to Red Hat Enterprise Linux 4 System in RHN?
https://access.redhat.com/solutions/115353
If you need additional assistance, please open a support case.
Is a reboot required?
Do I need to reboot or restart services after installing this update?
No, a reboot of your system or any of your services is not required. This vulnerability is in the initial import of the process environment from the kernel. This only happens when Bash is started. After the update that fixes this issue is installed, such new processes will use the new code, and will not be vulnerable. Conversely, old processes will not be started again, so the vulnerability does not materialize. If you have a strong reason to suspect that a system was compromised by this vulnerability then a system reboot should be performed after the update is installed as a best security practice and security checks should be analyzed for suspicious activity.
for redhat 5, can we just upgrade bash directly to bash-3.2-33.el5_11.4? or must to bash-3.2-33.el5.1 and then to bash-3.2-33.el5_11.4?
You should be fine going straight to the last one. I have tested on multiple RHEL5 systems and had no issues.
You can upgrade directly to the latest version, just run "yum update bash" and it will install the latest version that it has available in the repository you are connected to. If you don't get that version, you will need to update your repository to get it or download it directly and run "yum localupdate </path/to/updated-bash-rpm>".
I still have some older systems such as RH 7.1 (non-enterprise edition). Can I expect a patch for these types of systems or do I need to remove it from the network? Any other suggestions for these older non supported OSes?
Hello,
You can follow the mitigation steps mentioned in the following article
https://access.redhat.com/articles/1212303
Hi, we don't have connection to yum repository. Is it ok to apply the patch through "rpm -Uvh rpmfile" command. Please see sample command below. Much appreciated for your immediate response.
For RHEL 5.x:
rpm -Uvh bash-3.2-33.el5_11.4.x86_64.rpm
rpm -Uvh bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm
For RHEL 6.x:
rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-debuginfo-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
This would work, although in RHEL 6, yum gets touchy when you use rpm directly. I would recommend using "yum localupdate
". I wouldn't install the debuginfo packages unless you have a specific need for it, they are not required. To use your example though, on RHEL 5 I would use "yum localupdate bash-3.2-33.el5_11.4.x86_64.rpm bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm" and on RHEL 6, I would use "yum localupdate bash-4.1.2-15.el6_5.2.x86_64.rpm bash-debuginfo-4.1.2-15.el6_5.2.x86_64.rpm bash-doc-4.1.2-15.el6_5.2.x86_64.rpm"
Hi Barry, Thanks a lot for your immediate response. Have a blessed day to you.
I can not find any package about bash-3.0-27.el4,bash-3.0-27.el4.2 or bash-3.0-27.el4.4 in RHSA-2014:1294 and RHSA-2014:1311
the "updated packages" page in RHSA-2014:1311 is totaly empty.
where can i find these packages?
For accessing the RHEL4 security errata, you need to have Red Hat Enterprise Linux Extended Life Cycle Support subscription. If you do not have ELS, then please contact Red Hat Technical Support for further assistance
Can anybody post direct download url for CVE-2014-7169 please?
You can download the package from the customer portal
Instruction for downloading the RHEL6 fix from the portal ie bash-4.1.2-15.el6_5.2
1- https://access.redhat.com/downloads/
2- select Red Hat Enterprise Linux
3- Choose the version as 6.5 in the dropdown
4- hit packages tab and enter bash in the filter section
5- Choose bash listed under server rpms
6- Download the package
Similarly you can download packages for other variants.
If you need assistance, you can contact Red Hat Technical Support
Querry : #bash -version still showing old version of bash , although it is showing upgraded version installed in #rpm -qa | grep bash
That's normal. Red Hat usually backports the fix to the existing version. bash -version will not show any difference in the output post update.
I can't find bash-3.0-27.el4.4_x86_64.rpm,where can I find?
BTW: bash-3.0-27.el4 is what I can find, which doesn't fix the problem.
Please refer to Ranjith's comment above.
Thanks!
Yonggong, to obtain bash-3.0-27.el4.4_x86_64.rpm my understanding is that you must have RHEL v4 Extended Lifecycle Support (ELS). If you have that open a ticket w/Redhat and they will provide you the link.
Can bash-3.2-33.el5_11.4.x86_64.rpm be applied all RHEL 5.X? I am specifically concerned with one old machine we have setup with 5.3. "yum update bash" indicates "No Packages marked for Update". The machine is currently running bash-3.2-24.el5.
Can I do?
yum update bash-3.2-33.el5_11.4
Thanks,
Yes you can apply the latest package directly. If the system is registered to RHN and yum update is not pulling the latest package, then try to execute the command yum clean all and then try yum update. If yum clean all does not resolve the issue, then contact Red Hat Technical support for further assistance
Thanks ...
I did a:
yum clean metadata
yum update bash
and was able to be bash updated.
for redhat 6, can i upgrade bash directly to bash-4.1.2-15.el6_5.2 ? do i have to upgrade to bash-4.1.2-15.el6_5.1 first ?
You can directly update to bash-4.1.2-15.el6_5.2
Larry,
You can upgrade directly. There is no need to upgrade to interim versions. Assuming that you are connected to an RHN Satellite server or RHN Hosted, you can upgrade to the latest version of bash by typing "yum update -y bash".
Travis,
Although you should upgrade your entire system with "yum update" my recommendation is to talk with Red Hat about it. You could also review the changelog and see if there appear to be any major changes between the version of bash that you have running now and the most recent.
After upgrading bash version to bash-3.2-33.el5_11.4, i tried verification method as suggested in above comments. Below result i got, so is it fine.
BEFORE PATCH :
[root@HOSTNAME ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff
AFTER PATCH :
[root@HOSTNAME ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
We have issue with our application after upgrade, any way to downgrade back to the original? Our server is RH EL6.
If you used "yum update -y bash" then "yum downgrade -y bash" should work.
Just be careful about the "-y" flag so that you are certain of what version of bash that you will downgrade to prior to doing it on a production system. Otherwise, this will be fine.
My server does not have internet connection. How can I use rpm to downgrade?
su root
# rpm -Uvh --oldpackage <package-name>
IE:
# rpm -Uvh --oldpackage bash-3.2-21.el5.x85_64.rpm
Or whatever package version that you need to downgrade to.
Note:
It is strongly recommended that you take all possible actions to allow your system to use the newest bash.
I use rpm to upgrade by command:
rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
We have issue with our application after upgrade, any way to downgrade back to the original?
rpm -Uvh --oldpackage whatever.rpm
What about CVE-2014-6277, CVE-2014-6278, CVE-2014-7186 and CVE-2014-7187 now?
We are working on updating this information. We will post as soon as possible.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7187
Please read comment 4 of the bug:
"Statement:
Red Hat Product Security does not consider this bug to have any security impact on the bash packages shipped in Red Hat Enterprise Linux. A fix for this issue was applied as a hardening in RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312."
I only see Itanium packages available for RHEL5 fully patched. What is the recommendation for Itanium based systems in other RHEL version such as 4,6,7 ? Specifically I am interested in 64 bit.
I thought security patches did not require a subscription.
Has this changed?
Hi
I have a ppc architecture..so I need the link to download the right bash update for my server. These are the system specs
[root@linuxc01 etc]# rpm -qa|grep bash
bash-4.1.2-15.el6_4.ppc64
[root@linuxc01 etc]# uname -a
Linux linuxc01 2.6.32-431.17.1.el6.ppc64 #1 SMP Fri Apr 11 17:30:35 EDT 2014 ppc64 ppc64 ppc64 GNU/Linux
Please send the link
Thanks
If you have a current RHN subscription, and this computer is listed as part of that subscription, you should be able to simply run "yum update bash" and be done (other than a reboot, just to be sure.)
If you are not current, it will complain. If not subscribed, it will complain.
You could also login to support.redhat.com, go to the downloads tab, and find the ppc builds there, again, should you be a subscriber.
Hi All, first, thanks to Barry Brimer advised last Monday. We managed to patch our bash in our RHEL 5.x 64bit and RHEL 6.x 64bit Linux/UNIX Infra. The script I have downloaded from https://github.com/hannob/bashcheck/blob/master/bashcheck, have verified that the 3 major CVEs had resolved the bugs. CVE-2014-6271: Original Shellshock; permit remote code execution; CVE-2014-7169: Additional CVE introduced due to incomplete fix for original Shellshock; CVE-2014-7186: Redir_stack off-by-one bug; can cause a crash. Please see details below.
[alberto@rhl5 ~]$ sh bashcheck.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
[alberto@rhel6 ~]$ sh bashcheck.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
Moreover, is there a script or tool provided by RedHat Team that could validate/verify that the bug fix provided had resolved the 6 CVEs below? I'm happy to volunteer as a tester.
CVE-2014-6271: Original Shellshock; permit remote code execution
CVE-2014-7169: Additional CVE introduced due to incomplete fix for original Shellshock
CVE-2014-7186: Redir_stack off-by-one bug; can cause a crash
CVE-2014-7187: Nested loops off-by-one issue with unknown impact
CVE-2014-6277: Variable function parser bug; permit remote code execution
CVE-2014-6278: Undisclosed bug; permit remote code execution
Since only 4 CVEs had been resolved at this moment and RedHat Team still working to resolve the remaining two, I believe the proactive measure that we can do is to block all possible exploits from the network perspective. For those services that not require cgi on the web, we must totally disable it from any webserver i.e. Apache (disable the cgi module aka mod_cgi and all the entry directory of cgi-bin). For ssh, don't expose it to the public, use vpn instead. Hope this make sense.
This statement is not at all accurate. The remaining two CVEs you indicate as being unresolved are in fact fully mitigated by the latest patches. See the announcement here: https://access.redhat.com/announcements/1210053 for the details.
Disabling CGI, if you can, would deal with the httpd angle. Not exposing ssh to the public makes no difference unless you don't use a password or use a bad one (this flaw is not a pre-authentication flaw; it requires that you successfully authenticate first). As for your following statement regarding mod_security this is good, but only works on known signatures and will not protect against not-yet-know signatures so while it is good for mitigating the things we know about it may not catch any variations that the patched packages are not susceptible to and thus should not be used instead of patching. If you install the latest bash packages, you're protected from all six issues.
Hi Vincent, thanks for the info. My apologies for my inaccurate statement, I missed out that announcement. I believe we have mitigated our RedHat Enterprise Linux Infra with the latest patch for bash as stated on that announcement. By the way, is there a technology on ssh that we can use for a user who authenticate via password then will verify by 2fa (2 form authentication), before he/she login to the system? This will increase the security of ssh. Google had developed that kind of technology aka Google Authenticator. I hope RedHat and OpenSSH Dev Team will look onto this.
Hi, Albert. That's a different kind of question. Currently there is no 2FA support for OpenSSH although you can use the Google Authenticator PAM module (we do not support this or provide it, however). You can force the use of SSH public/private keys which is similar (requires the private key and the key's passphrase) and disable password authentication entirely which is certainly more secure than just a password. Every version of OpenSSH supports this.
Hi Vincent, thanks for the reply and advised. We're using ssh public keys for our EDI connectivity to other agencies. However, were using normal ssh logon for users within our premises.
In addition, if you have IPS/IDS Firewall let do their job protecting your vulnerable assets. For apps, modsec can be used as proactive defence, just follow Redhat advised.
The following is in response to a case I raised re utilising the command line string
grep -l -z '[^)]=() {' /proc/[1-9]*/environ | cut -d/ -f3
to identify service/s that would require restarting thus assisting in determining time and effort involved in applying the patch:
Here is more information about the matter with restarting services :
In short, yes it can be run before or after the update. It does not
mater if it is run before or after; it simply lists any running
processes that contain the exploit test string in their environmental
variables.
Note that even after patching, an environmental variable can still be
created so that it contains the same exploit string, but after the
patch that string will /not/ have any effect on the new bash.
Thus, it might be better to run it before or right after patching as a
way to identify processes that may have already been hit by the
vulnerability, or ones leftover from testing, could be stopped /
restarted for extra safety; but it does not matter if it is run before
or after. It is merely a way to find what processes have an
environmental variable that contains that string.
As you are concerned, you can perform it to know if they should restart their services or not before applying patch.
But, please make sure that you have to perform the command to find if there is no service needed to be restarted after the patch.
Our web application is running on Redhat Enterprise Linux. In the application, our bash scripts are running in background. Reboot Linux or restart our web application or our bash scripts is required after the bash patch?
Thanks.
we having some issue in WebMethod(ftp failing in Vendor Export) after bash upgrade on Linux 5.7.
Automated job is failing but when we manually triggering out the ftp will work.
------------------------Automated Vendor Export Results-----------------------
STATUS DATE TIME VENDOR FILE NAME ADDRESS MESSAGE
Failure 10/09/14 09:33:22 ApartmentGuide.com mitsaimcoexport_fp.xml ftp.hpci.com 425 Unable to build data connection: Connection refused
Failure 10/09/14 09:35:52 Services.cpsusa.com mitsaimcoexport_fp.xml Services.cpsusa.com [ISC.0064.9010] java.net.SocketTimeoutException: Accept timed out
Failure 10/09/14 09:36:53 Apartments.com mitsaimcoexport_fp.xml ftp.classifiedventures.com 425 Unable to build data connection: Connection refused
Failure 10/09/14 09:37:54 ForRent.com mitsaimcoexport_fp.xml ftp.forrent.com 425 Unable to build data connection: Connection refused
Failure 10/09/14 09:38:56 Move.Com mitsaimcoexport_fp.xml Transfer.realselect.com 425 Unable to build data connection: Connection refused
Failure 10/09/14 09:39:57 HotPads mitsaimcoexport_fp.xml ftp.hotpads.com 550 Failed to change directory.
Success 10/09/14 09:40:10 Cort.com mitsaimcoexport_fp.xml Ctsforders.insidecort.com
Failure 10/09/14 09:42:40 apartmentshowcase.com mitsaimcoexport_fp.xml apartmentshowcase.com [ISC.0064.9010] java.net.SocketTimeoutException: Accept timed out
Failure 10/09/14 09:45:11 ALNDATA mitsaimcoexport_fp.xml FTP.Alndata.com [ISC.0064.9010] java.net.SocketTimeoutException: Accept timed out
Success 10/09/14 09:45:11 Aimco.com mitsaimcoexport_fp.xml 172.16.4.20
Failure 10/09/14 09:46:42 Rentbits mitsaimcoexport_fp.xml rentmarketer.com 550 Failed to change directory.
-----------------------------manual Vendor Export Results--------------------------------
STATUS DATE TIME VENDOR FILE NAME ADDRESS MESSAGE
Success 10/09/14 10:20:32 ApartmentGuide.com mitsaimcoexport_fp.xml ftp.hpci.com
Success 10/09/14 10:20:35 Services.cpsusa.com mitsaimcoexport_fp.xml Services.cpsusa.com
Success 10/09/14 10:20:36 Apartments.com mitsaimcoexport_fp.xml ftp.classifiedventures.com
Success 10/09/14 10:20:39 ForRent.com mitsaimcoexport_fp.xml ftp.forrent.com
Success 10/09/14 10:20:45 Move.Com mitsaimcoexport_fp.xml Transfer.realselect.com
Success 10/09/14 10:20:46 HotPads mitsaimcoexport_fp.xml ftp.hotpads.com
Success 10/09/14 10:20:58 Cort.com mitsaimcoexport_fp.xml Ctsforders.insidecort.com
Success 10/09/14 10:21:00 apartmentshowcase.com mitsaimcoexport_fp.xml apartmentshowcase.com
Success 10/09/14 10:21:10 ALNDATA mitsaimcoexport_fp.xml FTP.Alndata.com
Success 10/09/14 10:21:10 Aimco.com mitsaimcoexport_fp.xml 172.16.4.20
Immediate help will be appreciated.
Thanks in Advance!
Abhi
See RHBA-2014:1362 - Bug Fix Advisory https://rhn.redhat.com/rhn/errata/details/Details.do?eid=28032
Issued: 10/7/14
Updated: 10/7/14
Topic
Updated at packages that fix one bug are now available for Red Hat Enterprise
Linux 6.
Description
The "at" packages provide the "at" and "batch" commands, which are used to read
commands from standard input or from a specified file. The "at" command allows
you to specify that a command will be run at a particular time. The "batch"
command will execute commands when the system load levels drop to a particular
level. Both commands use /bin/sh.
This update fixes the following bug:
daemon exported environment variables with an incorrect syntax to the Bash shell
running the jobs. With this update, "atd" filters out environment variables that
cannot be parsed by the Bash shell, thus allowing the "at" jobs to run properly.
(BZ#1148730)
Users of at are advised to upgrade to these updated packages, which fix this
bug.
Solution
Before applying this update, make sure all previously released errata relevant
to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
Also see RHBA-2014:1368 - Bug Fix Advisory https://rhn.redhat.com/rhn/errata/details/Details.do?eid=28052
Synopsis
at bug fix update
Issued: 10/8/14
Updated: 10/8/14
Topic
Updated at packages that fix one bug are now available for Red Hat Enterprise
Linux 5.
Description
The "at" packages provide the "at" and "batch" commands, which are used to read
commands from standard input or from a specified file. The "at" command allows
you to specify that a command will be run at a particular time. The "batch"
command will execute commands when the system load levels drop to a particular
level. Both commands use /bin/sh.
This update fixes the following bug:
daemon exported environment variables with an incorrect syntax to the Bash shell
running the jobs. With this update, "atd" filters out environment variables that
cannot be parsed by the Bash shell, thus allowing the "at" jobs to run properly.
(BZ#1148844)
Users of at are advised to upgrade to these updated packages, which fix this
bug.
Solution
Before applying this update, make sure all previously released errata relevant
to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
Hi Terry,
will this at bug fix resolve our issue which we are facing in WebMethod ( vendor export automated ftp error)?
please reply. thank you!
Abhi
You described your issue as
Automated job is failing
Is your automated job using the "at" or batch command?
The fix is for those commands
FYI
at and batch bug fixes for issue caused by bash shell vulnerability patches
Bug Fix Advisory
RHEL5 RHBA-2014:1368
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=28052
RHEL6 RHBA-2014:1362
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=28032
RHEL7 RHBA-2014:1363-1
https://rhn.redhat.com/errata/RHBA-2014-1363.html
We run RHEL ES 6.2. Which patch should I be using?
See link https://access.redhat.com/solutions/1207723
In order to avoid exploitation from CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278, ensure that your system is updated to at least the following versions of Bash, which also includes the prior fixes:
RHSA-2014:1311
Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.2
Testing information
https://access.redhat.com/articles/1200223
Hi
Has Redhat AS 3 is falling under bash vunerability.
Thanks