perfsonar-announce - Updated information on Shellshock for perfSONAR Toolkit Users
Subject: perfSONAR Announcements
List archive
- From: Jason Zurawski <>
- To: perfsonar-user <>, perfsonar-announce <>
- Cc: "" <>
- Subject: Updated information on Shellshock for perfSONAR Toolkit Users
- Date: Mon, 29 Sep 2014 17:58:22 -0400
Greetings;
We have 2 pieces of news to report on the ongoing shellshock situation:
1) As of this afternoon we have not seen any additional patches made by the
upstream vendors. For those playing the home game here are the current list
if vulnerabilities:
> CVE-2014-6271 [Original vulnerability]
> CVE-2014-6277
> CVE-2014-6278
> CVE-2014-7169
> CVE-2014-7186
> CVE-2014-7187
Note that if you 'yum update'd last week, you should check again to be sure
you have the 'latest', this is because new vulnerabilities were announced
right after the initial fix was released. We will continue to monitor the
situation and keep everyone posted on things we see. If you haven't enabled
yum auto-updating yet - consider reading this to do so:
http://www.perfsonar.net/about/faq/#Q53
Many of you have emailed to note that speed is the most important asset in
patching this vulnerability - even if you were 'fast' there is a chance you
could have been beaten. We would suggest verifying your systems to check for
rootkits (rkhunter and chkrootkit are popular products), and/or if someone is
running an IRC bot. When in doubt, yank it off the network and rebuild.
2) Working with community members, we have identified 2 ways to further
reduce the risk of perfSONAR Toolkit systems. Note that the risk does not
fully go away until bash is completely patched. These two approaches can help
in the meantime by reducing the visibility via the web:
a) A new RPM for version 3.3 (netinstall only) of the toolkit environment was
built, and is now available in yum - it is 3.3.2-18. The modification in
this update prevent the Perl interpreter from using bash for some of its
operations, some functionality will be reduced as a result. Please do the
following to get this update:
- yum update
- reboot the system
b) If you are using a 3.3 LiveCD, or a 3.4 (RC*) installation, we are working
on updated builds to address the problem as in part a). In the meantime, the
following modifications can be made to the apache configuration to lock down
*all* access to the Toolkit web interface:
- Open the configuration file:
/etc/httpd/conf.d/apache-toolkit_web_gui.conf
- Search for instances of these permissions:
> Order allow,deny
> Allow from all
- Modify the permissions to look like this (replacing the obvious
fake address with a real one, multiple 'Allow' lines are permitted):
> Order deny,allow
> Allow from AAA.BBB.CCC.DDD/16
> Deny from All
- restart httpd (sudo /etc/init.d/httpd restart) or reboot
Please reach out to us at
if you have additional questions on status of the vulnerability or our
response.
Thanks;
-jason
- Updated information on Shellshock for perfSONAR Toolkit Users, Jason Zurawski, 09/29/2014
- Re: Updated information on Shellshock for perfSONAR Toolkit Users, Andrew Lake, 09/30/2014
Archive powered by MHonArc 2.6.16.