Novell Service Desk vulnerability with GNU Bash Remote Code Execution (aka ShellShock)

  • 7015718
  • 30-Sep-2014
  • 03-Oct-2014

Environment

Novell Service Desk Appliance versions 6.5.4, 7.0, 7.0.1, 7.0.2, 7.0.3

Situation

Shellshock, also known as Bashdoor, is a security vulnerability in the widely used Linux/Unix Bash shell. Novell Service Desk Appliance is affected by this security vulnerability. For more details on this, please visit http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

Further information regarding these security issues can be found here:

For Novell Service Desk running on SLES operating system, please refer to TID 7015702, which provides specific instructions on how to apply the patch to the Operating System to address this issue.

For Novell Service Desk Virtual Appliance, please use the information provided in this document in order to overcome this vulnerability.

Resolution

The patch can be downloaded from download.novell.com under Service Desk product section or by clicking on the link to the shellshock_nsdpatch.sh here.

This patch applies only to Novell Service Desk Virtual Appliance. On the other hand, this patch will also be automatically included in any future update for Novell Service Desk Appliance.

Additional Information

Setting Root Password (Skip this step if root password is already set)
If the root password was not set during deployment.
Login to Appliance console via ESx client(vSphere) and
select Appliance -> option 1
select Change root password -> option 7
select Enter new password -> option 1
    
Transfer the patch script:
Transfer/copy shellshock_nsdpatch.sh to NSD Appliance using sftp/scp/winscp  to /tmp

 Update the rpm packages :
Login into the appliance as root user and execute the following command to update the packages.
# cd /tmp
# ./shellshock_nsdpatch.sh

Verify the installation :
In order to verify the Updates are Applied, use the following commands and compare the outputs.
# rpm -qa | grep bash
bash-3.2-147.14.22.1
# rpm -qa | grep libreadline5
libreadline5-32bit-5.2-147.14.22.1
libreadline5-5.2-147.14.22.1
If there are any issues in applying this patch, please contact Novell technical support for assistance.