Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1778 ZENworks Configuration Management vulnerability with GNU Bash Remote Code Execution (aka ShellShock) 7 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Novell ZENworks Configuration Management Publisher: Novell Operating System: Windows Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-7187 CVE-2014-7186 CVE-2014-7169 CVE-2014-6278 CVE-2014-6277 CVE-2014-6271 Reference: ASB-2014.0114 ASB-2014.0111 ESB-2014.1776 ESB-2014.1774 ESB-2014.1764 ESB-2014.1755 ESB-2014.1754 ESB-2014.1749 ESB-2014.1746 Original Bulletin: http://www.novell.com/support/kb/doc.php?id=7015721 - --------------------------BEGIN INCLUDED TEXT-------------------- ZENworks Configuration Management vulnerability with GNU Bash Remote Code Execution (aka ShellShock) Document ID: 7015721 Creation Date: 30-SEP-14 Modified Date: 06-OCT-14 This document (7015721) is provided subject to the disclaimer at the end of this document. Environment Novell ZENworks Configuration Management 11.3 Novell ZENworks Configuration Management 11.2 Novell ZENworks Configuration Management 11.1 Novell ZENworks Configuration Management 11 Novell ZENworks Configuration Management 10.3 Situation Shellshock, also known as Bashdoor, is a security vulnerability in the widely used Linux/Unix Bash shell. Novell ZENworks Configuration Management is affected by this security vulnerability. For more details on this, please visit http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 Further information regarding these security issues can be found here: http://support.novell.com/security/cve/CVE-2014-6271.html http://support.novell.com/security/cve/CVE-2014-6277.html http://support.novell.com/security/cve/CVE-2014-6278.html http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html For ZENworks Configuration Management running on SLES operating system, please refer to TID 7015702, which provides specific instructions on how to apply the patch to the Operating System to address this issue. For ZENworks Virtual Appliance, please use the information provided in this document in order to overcome this vulnerability. Resolution The patch and instructions can be downloaded from download.novell.com under ZENworks Configuration Management product section, or directly by clicking on this link. This patch applies only to ZEN Virtual Appliance. On the other hand, this patch will also be automatically included in any future update for ZCM Appliance. Status Security Alert Disclaimer This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVDNgaBLndAQH1ShLAQI3Mw/+M5xlpjZvCzEWH7o+qVvy8fnknHgVQSpt GicSEjUDyT3k3iGxiIp4UfbEUE129OnSu5EOYm7C2GUv4ixR9kJfg0gOyFHRykqU o9eb6fmhKU5mvb22s20IFY3Flzz465pdjOUSZw8qSfomTOZkX5D2xAu0dbBie9mI gNNvV27yTMf2pVj8qIPcsI8RNGgSCcCzHjo1cs4oshzMYzW6TRCYUPWdRDFpT4ZU cPoj3oPMSIVio39FJFaqHk1bGYMRvVjcGZFZMYvjMP4gnyF702Qx7NPjc52uoHix emMYXFsbVZckmuVpjIWFAGWOXfLQsQ1cy2y3W1X5nRyjc4HKd5ZYWNfLn1Axq4SD kH43wtJ6QLzwxMdJdp6/KYgeWZS76jMx8BC9qsDQeiBeOhu7sF/RDQAe+JjljAlb nCpYBVnBTL8Wkw2sXZCRTQs1RSA5BUdhe42o56hxmiYrczXimESpOqwli4HNJ/pU /dHcjR4THHS1WodM5fpc1iw8n3vCpBO9qLqppF38Fs4dyZBdFaO/AfKQS/u1FKSp QfpHtj/ECf/mixf6+QsyMdYQjEszWngJWFJHPnvX5K9JimxzB+vzAO//1Yz0bkVq GGRo6W5TwA6N6+/lsCYzPsoST58wcQNugmdxpshlJar8Ct1z+ytqQc1fr4CKeaNI vxYfBq/D7RA= =AhbD -----END PGP SIGNATURE-----