Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

HP Addressing Bash Security Vulnerability

Stephen_Spector

A code injection vulnerability was identified yesterday in the Bash (Linux shell) package that can affect software packages or services that use it. HP began testing the patch on products affected by this issue and a resolution is expected shortly. While initial reports of continued issues on Linux servers after patch installation have emerged in the software community, HP continues to work on an effective resolution to protect organizations running our software.

 

Bash is a common shell which is usually installed and configured by default in Linux installations.

 

The impact of this vulnerability (CVE-2014-6271 and CVE-2014-7169) is that system requests can pass malicious code to Bash in a manner similar to SQL injection attacks. That is, malicious commands passed to Bash may be executed. This is possible because the vulnerability allows function definitions to be accepted as values in environment variables. If these environment variables are exported in a script, they execute as soon as the script runs.

 

Importantly, this may lead to arbitrary code running with the privileges of the user running Bash, which are often root or admin.

 

Currently deployed versions of Bash are subject this this vulnerability.  

 

The following HP products and services are affected and are being patched:

  • HP CloudSystem
  • HP Helion OpenStack® Community edition
  • HP Helion Development Platform Community edition
  • HP Helion Public Cloud

Fortunately, because many HP Helion products are built atop a special HP implementation of the Linux OS based on Debian, Bash interactions are well known and HP engineers are able to customize patches specifically for HP products.

HP is currently monitoring for a patch for the above products and will test and issue a software update as soon as possible to address the issue.

 

HP will keep you informed regarding the progress of the fix and continues to work diligently to protect users of our products. HP will provide a subsequent update when the software updates are available.

 

For more information on this situation, the Cloud Flare blog post on this topic provides an excellent background.

 

 

Senior Manager, Cloud Online Marketing
  • HP Cloud
0 Kudos
About the Author

Stephen_Spector

I manage the HPE Helion social media and website teams promoting the enterprise cloud solutions at HPE for hybrid, public, and private clouds. I was previously at Dell promoting their Cloud solutions and was the open source community manager for OpenStack and Xen.org at Rackspace and Citrix Systems. While at Citrix Systems, I founded the Citrix Developer Network, developed global alliance and licensing programs, and even once added audio to the DOS ICA client with assembler. Follow me at @SpectorID

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
See posts for dates
Online
HPE Webinars - 2017
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all