{"id":1887,"date":"2014-10-02T07:58:05","date_gmt":"2014-10-02T05:58:05","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=1887"},"modified":"2014-10-02T08:43:06","modified_gmt":"2014-10-02T06:43:06","slug":"oracle-software-appliances-and-bash-shellshock","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2014\/10\/oracle-software-appliances-and-bash-shellshock\/","title":{"rendered":"Oracle Software Appliances and Bash Shellshock"},"content":{"rendered":"<p>Late September a vulnerability in the bash Shell has been published. The vulnerability also known as shellshock, was classified as extremely critical. Anyway, in the meantime security patch has been released for the different operating systems and bash implementations. A bugfix is also available for Oracle Enterprise Linux, which is used as operating system of the two Oracle software appliances <em>Oracle Audit Vault and Database Firewall<\/em> and <em>Oracle Key Vault<\/em>. Oracle has published two My Oracle Support Notes which describe how the patch must be installed on the appliance software. The installation is quite straightforward. Get the patch from the Oracle&#8217;s <a href=\"http:\/\/public-yum.oracle.com\">public yum repository <\/a>and install it on the appliance. \ud83d\ude42 But be aware, that the two appliance are still runing Oracle Enterprise Linux 5.<\/p>\n<p>Steps to copy, install and verify the bash shell bugfix:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\r\n[support@melete ~]$ su -\r\nPassword: \r\n\r\n[root@melete ~]# env x=&#039;() { :;}; echo vulnerable&#039; bash -c &quot;echo this is a test&quot;\r\nvulnerable\r\nthis is a test\r\n\r\n[root@melete ~]# rpm -Uvh \/tmp\/bash-3.2-33.el5_11.4.x86_64.rpm \r\nwarning: \/tmp\/bash-3.2-33.el5_11.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159\r\nPreparing...                ########################################### [100%]\r\n   1:bash                   ########################################### [100%]\r\n\r\n[root@melete ~]# rpm -qa | grep -i bash \r\nbash-3.2-33.el5_11.4\r\n\r\n[root@melete ~]# env x=&#039;() { :;}; echo vulnerable&#039; bash -c &quot;echo this is a test&quot;\r\nthis is a test\r\n\r\n<\/pre>\n<h3>References<\/h3>\n<p>Some links related to the bash shellshock vulnerability.<\/p>\n<ul>\n<li>CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for \u200eOracle Key Vault [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=\u200e1931880.1\" target=\"_blank\">\u200e1931880.1<\/a><\/em>]<\/li>\n<li>CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for \u200eOracle Audit Vault and Database Firewall [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=\u200e1931021.1\" target=\"_blank\">\u200e1931021.1<\/a><\/em>]<\/li>\n<li><a http:\/\/www.oracle.com\/technetwork\/topics\/security\/alert-cve-2014-7169-2303276.html\" target=\"_blank\">Oracle Security Alert for CVE-2014-7169<\/a><\/li>\n<li><a http:\/\/www.oracle.com\/technetwork\/topics\/security\/alerts-086861.html\" target=\"_blank\">Critical Patch Updates, Security Alerts and Third Party Bulletin<\/a><\/li>\n<li>Oracle <a http:\/\/public-yum.oracle.com\" target=\"_blank\">Public Yum Server<\/a><\/li>\n<li>Vulnerability Summary for <a http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2014-6271\" target=\"_blank\">CVE-2014-6271<\/a><\/li>\n<li>Vulnerability Summary for <a http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2014-7169\" target=\"_blank\">CVE-2014-7169<\/a><\/li>\n<li>Wikipedia <a http:\/\/en.wikipedia.org\/wiki\/Shellshock_(software_bug)\" target=\"_blank\">Shellshock<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Late September a vulnerability in the bash Shell has been published. The vulnerability also known as shellshock, was classified as extremely critical. Anyway, in the meantime security patch has been released for the different operating systems and bash implementations. A bugfix is also available for Oracle Enterprise Linux, which is used as operating system of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Oracle Software Appliances and Bash Shellshock http:\/\/wp.me\/p1aErb-ur #trivadis #avdf","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[88,134,11],"tags":[18],"class_list":["post-1887","post","type-post","status-publish","format-standard","hentry","category-avdf","category-okv","category-security","tag-trivadiscontent"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-ur","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":982,"url":"https:\/\/www.oradba.ch\/wordpress\/2013\/01\/new-oracle-audit-vault-and-database-firewall\/","url_meta":{"origin":1887,"position":0},"title":"New Oracle Audit Vault and Database Firewall","author":"Stefan","date":"14. January 2013","format":false,"excerpt":"In the hustle and bustle of the Christmas season, it went under that Oracle had released a new version of Oracle Audit Vault respectively Oracle Audit Vault and Database Firewall. This weekend I found some time to take a first look into the new release. What's New About a year\u2026","rel":"","context":"In &quot;Audit&quot;","block_context":{"text":"Audit","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OverviewAVDF.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OverviewAVDF.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OverviewAVDF.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":1690,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/05\/audit-vault-and-database-firewall-12-1-2\/","url_meta":{"origin":1887,"position":1},"title":"Audit Vault and Database Firewall 12.1.2","author":"Stefan","date":"7. May 2014","format":false,"excerpt":"Oracle has just released a new Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle's Software Delivery Cloud. It look's like Oracle added a bunch of Enterprise-Grade Features like iSCSI SAN Disk, NFS Storage as well as SYSLOG integration. Starting with this\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1673,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/04\/oracle-and-openssl-heartbleed-vulnerability\/","url_meta":{"origin":1887,"position":2},"title":"Oracle and OpenSSL &#8216;Heartbleed&#8217; vulnerability","author":"Stefan","date":"13. April 2014","format":false,"excerpt":"Earlier this week the OpenSSL Project as well US-CERT informed about a Security Vulnerability in OpenSSL. See OpenSSL Security Advisory or US-CERT Alert (TA14-098A) The vulnerability may affect Oracle Products as well, since some of them do use OpenSSL. So far Oracle did not provide dedicate information on it's public\u2026","rel":"","context":"In &quot;12cR1&quot;","block_context":{"text":"12cR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12cr1\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2057,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/11\/release-of-audit-vault-and-database-firewall-12-1-2-bundle-patch-7\/","url_meta":{"origin":1887,"position":3},"title":"Release of Audit Vault and Database Firewall 12.1.2 Bundle Patch 7","author":"Stefan","date":"9. November 2015","format":false,"excerpt":"Today Oracle released the new Bundle Patch for Audit Vault and Database Firewall 12.1.2. The patch can be downloaded as usual on Oracle Metalink as Patchset 21920205 for existing installations. The full installation image for new installations is not yet available on Oracle eDelivery. I guess this will follow in\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1373,"url":"https:\/\/www.oradba.ch\/wordpress\/2013\/08\/avdf-linux-kernel-could-not-recognize-whole-ram\/","url_meta":{"origin":1887,"position":4},"title":"AVDF Linux kernel could not recognize whole RAM","author":"Stefan","date":"12. August 2013","format":false,"excerpt":"After initial setup of an Audit Vault and Database Firewall engineering system, I've started to add several audit vault agents and secure targets. In the beginning it went quite smoothly. But after a certain number of secured targets, there were continuously ORA-04031 errors. Most of the errors were related to\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1970,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/05\/release-of-audit-vault-and-database-firewall-12-1-2-bundle-patch-5\/","url_meta":{"origin":1887,"position":5},"title":"Release of Audit Vault and Database Firewall 12.1.2 Bundle Patch 5","author":"Stefan","date":"15. May 2015","format":false,"excerpt":"Today Oracle released the new Bundle Patch for Audit Vault and Database Firewall 12.1.2. The patch can be downloaded as usual on Oracle Metalink as Patchset 20829881 for existing installations. The full installation image for new installations is not yet available on Oracle eDelivery. I guess this will follow in\u2026","rel":"","context":"In &quot;Audit Vault and Database Firewall&quot;","block_context":{"text":"Audit Vault and Database Firewall","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/audit-vault-and-database-firewall\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=1887"}],"version-history":[{"count":6,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1887\/revisions"}],"predecessor-version":[{"id":1893,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1887\/revisions\/1893"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=1887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=1887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=1887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}