Absent Member.. ScQuinn Absent Member..
Absent Member..
86 views

ShellShock Vulnerability

Hi All,

 

Is the PPM installation, we are looking to see if our installation is vulnerable to the Shellshock vulnerability due to Cygwin.

 

Is there any HP guidance on this?

Are there any instructions for updating any components that may be vulnerable?

 

Thanks.

 

HP PPM - V9.22.0000

Windows 2008 Server Installation

0 Likes
5 Replies
Micro Focus Expert
Micro Focus Expert

Re: ShellShock Vulnerability

Hi Scott,

 

Whether or not your Cygwin version is vulnerable depends of the Bash version included.

 

You can get more info from this link:

 

https://cygwin.com/ml/cygwin-announce/2014-10/msg00004.html

 

It includes information on how to test whether you are affected by the vulnerabilty or not, as well as more info on the updates that should be applied in order to get it fixed.

 

Note that from a pure PPM perspective,  HP PPM Center itself is not directly affected, it all depends on the version of Bash you are running on teh OS hosting PPM (be it in Cygwin or *nix).

 

Thanks,

Etienne.

0 Likes
Outstanding Contributor.. Loc_Nguyen_PPM Outstanding Contributor..
Outstanding Contributor..

Re: ShellShock Vulnerability

Hi ScQuinn,

 

As Etienne said, PPM not  affected. Also, i send you the document from HP Networking GNU ShellShock Security Advisory. You can take a look in this document to know which HP Product is impact by ShellShock.

 

 

Regards.

“HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
Absent Member.. ScQuinn Absent Member..
Absent Member..

Re: ShellShock Vulnerability

Thanks for the information.

 

Is there a version of Cygwin that is patched for shellshock that HP recommends?

Looking at the System Compatiblity matrix, are any of these versions of openSSH (Cygwin) not vulnerable and would be recommended by HP?

 

 

 

OpenSSH (included in Cygwin)

 

Version 4.5p1

Version 4.6p1

Version 4.7p1

Version 4.9p1

Version 5.1p1

 

Thanks.

0 Likes
Jason Nichols K Absent Member.
Absent Member.

Re: ShellShock Vulnerability

OpenSSH and Bash are two different packages.  While OpenSSH is listed in the compatability matrix with specific supported versions, Bash is just listed as a requirement to be installed on source and destination servers.  Based on that, I would recommend getting the latest, patched version of Bash that is included with Cygwin.  The Cygwin website states that all versions of Bash since version 4.1.13-6 have been protected against the ShellShock vulnerabilities, but they have found other issues while testing the extent of the attacks and have corrected those issues as well.

0 Likes
Outstanding Contributor.. Loc_Nguyen_PPM Outstanding Contributor..
Outstanding Contributor..

Re: ShellShock Vulnerability

Hi,


A quick explanation for this is that Shellshock is a vulnerability on the bash shell but in order to be exploited the server would need to use bash as the standard or default command interpreter, in windows it would be the command prompt (that's not 100% accurate but for all intents and purposes that's what you need to know) so if someone is trying to access the server from an external source the responding shell is not bash so they would not be able to exploit it to gain administrator privileges or run a command remotely, unless they already have access to the server with a credential would allow them to use cygwin, if that's the case they would be already compromised.

In conclusion, you don’t have to worry about your PPM application since it won’t be affected because of this vulnerability.

 

However HP is going to provide the notice via a security bulletin, so customers will receive mitigation guidelines based on the analysis  made to these cases.

 

 

Regards.

“HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.