Shellshock Bash Vulnerability and its impact on eDirectory

  • 7015720
  • 30-Sep-2014
  • 30-Sep-2014

Environment

NetIQ eDirectory 8.8 SP8 for All Platforms
NetIQ iManager 2.7 SP7
NetIQ Modular Authentication Service (NMAS)
iMonitor\HTTP stack

Situation

The Bash Shell security vulnerabilities, collectively known as Shellshock, have introduced uncertainty for many administrators as they determine whether or to what extent they may be exposed to them.  A good overview of the issue from a Suse perspective can be found here:
 
Administrators want to know if eDirectory, eDirectory's components or its management utility (iManager) are affected in any way.

Resolution

After a thorough code review it has been determined that this is strickly a Linux vulnerability.  eDirectory is not affected.  There is no place in the eDirectory code where shell commands are run after setting an environment variable to a value provided by a client.  This includes iManager and iMonitor.
 
The Linux operating system must be patched in order to protect a machine from this vulnerability.  In the case of Suse Linux Enterprise Server, patches have already been made available.
 
Below are the CVE's that currently make up Shellshock. 
 
1. CVE-2014-6271 Initial vulnerability
 
2. CVE-2014-7169 Due to incomplete fix for CVE-2014-6271.
----- Suse patch also includes CVE-2014-7186 & CVE-2014-7187
 
3. Two new ones can be avoided by bash hardening.  CVE-2014-6277 & CVE-2014-6278.
 
 
NOTE: It has also been determined that eDirectory is unaffected by a new vulnerability, CVE-2014-1568.   None of eDirectory's server components use Mozilla NSS.  While it may be possible to configure Java to use NSS this is not the default configuration of iManager as installed.