perfSONAR User Q&A and Other Discussion

[Jason Zurawski <>]

Greetings;

We have 2 pieces of news to report on the ongoing shellshock situation:

1) As of this afternoon we have not seen any additional patches made by the 
upstream vendors.  For those playing the home game here are the current list 
if vulnerabilities:

> CVE-2014-6271 [Original vulnerability]
> CVE-2014-6277
> CVE-2014-6278 
> CVE-2014-7169 
> CVE-2014-7186 
> CVE-2014-7187 

Note that if you 'yum update'd last week, you should check again to be sure 
you have the 'latest', this is because new vulnerabilities were announced 
right after the initial fix was released.  We will continue to monitor the 
situation and keep everyone posted on things we see.  If you haven't enabled 
yum auto-updating yet - consider reading this to do so: 
http://www.perfsonar.net/about/faq/#Q53

Many of you have emailed to note that speed is the most important asset in 
patching this vulnerability - even if you were 'fast' there is a chance you 
could have been beaten.  We would suggest verifying your systems to check for 
rootkits (rkhunter and chkrootkit are popular products), and/or if someone is 
running an IRC bot.  When in doubt, yank it off the network and rebuild.  

2) Working with community members, we have identified 2 ways to further 
reduce the risk of perfSONAR Toolkit systems.  Note that the risk does not 
fully go away until bash is completely patched. These two approaches can help 
in the meantime by reducing the visibility via the web:

a) A new RPM for version 3.3 (netinstall only) of the toolkit environment was 
built, and is now available in yum - it is 3.3.2-18.  The modification in 
this update prevent the Perl interpreter from using bash for some of its 
operations, some functionality will be reduced as a result.  Please do the 
following to get this update:

        - yum update

        - reboot the system

b) If you are using a 3.3 LiveCD, or a 3.4 (RC*) installation, we are working 
on updated builds to address the problem as in part a).  In the meantime, the 
following modifications can be made to the apache configuration to lock down 
*all* access to the Toolkit web interface:

        - Open the configuration file: 
/etc/httpd/conf.d/apache-toolkit_web_gui.conf

        - Search for instances of these permissions:

>   Order allow,deny
>   Allow from all

        - Modify the permissions to look like this (replacing the obvious 
fake address with a real one, multiple 'Allow' lines are permitted):

>    Order deny,allow
>    Allow from AAA.BBB.CCC.DDD/16
>    Deny from All

        - restart httpd (sudo /etc/init.d/httpd restart) or reboot

Please reach out to us at 

 if you have additional questions on status of the vulnerability or our 
response.   

Thanks;

-jason