SAP HANA/SUSE Linux GNU bash code injection vulner...

From testing our 1.00 SP81 system from HP it appears that the version of Linux has this latest vulnerability. Has there been any news from SAP about this? We are contacting HP support to see how to proceed but I thought I would post this as others may want to check into this. It seems like a very severe vulnerability.

SAP Managed Tags:
SAP HANA,
Security

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (0)

Answers (3)

The same news reached our platform team as well. Now to be safe they are updating the servers.

Regards,

Krishna Tangudu

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Here is the security advisory from Novell/SUSE:

CVE-2014-6271

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Ryan,

just received info from my colleagues in the SAP Linux Labs:


>>> patches are already available, please see
>>> 
>>> http://support.novell.com/security/cve/CVE-2014-0475.html
>>> 
>>> SUSE Linux Enterprise Server 11 SP3:
>>> zypper in -t patch slessp3-bash-9740
>>> 
>>> SUSE Linux Enterprise Server 11 SP2 LTSS:
>>> zypper in -t patch slessp2-bash-9736
>>> 
>>> SUSE Linux Enterprise Server 11 SP1 LTSS:
>>> zypper in -t patch slessp1-bash-9738
>>> 
>>> 
>>> Red Hat Enterprise Linux 6.5
>>> yum update bash-4.1.2-15.el6_5.1

regards,

Lars

Thanks Lars! We have a case open with our HANA vendor, as they asked us to contact them for Linux updates.

Hi everyone,

Do note that the fix provided in patch 9740/9736/9738 for bash on SuSE is not a full patch. It prevents the immediate severe bug [1], but exposes another [2] related vulnerability. Apply the patch right away, but please keep monitoring the Novell advisories.

Ninad

[1] - http://support.novell.com/security/cve/CVE-2014-6271.html

[2] - CVE-2014-7169

When I try this on our Hana v70 instance, I get

Refreshing service 'susecloud'.

Warning: No repositories defined. Operating only with the installed resolvables. Nothing can be installed.

Loading repository data...

Reading installed packages...

'slessp2-bash-9736' not found in package names. Trying capabilities.

No provider of 'patch:slessp2-bash-9736' found.

Resolving package dependencies...

Nothing to do.

Obviously, no repositories are defined on that machine. Can you please specify what to do in that case? Thanks.

Cheers,

-- Micha

Hi Micha,

I was not successful with that command either, but the following commands helped me:

zypper list-patches | grep bash

zypper search -t patch slessp3-bash

Remove the patch number at the end, and you will see a list of patches (I was testing on a SP3 box, hence the sp3 above). Installing those patches should also be similar, please check the SuSE documentation!

Unfortunately, this does not work either, I've already tried:

# zypper list-patches

Refreshing service 'susecloud'.

Loading repository data...

Reading installed packages...

No updates found.

-- Micha

Hi Micha,

sorry - but what repositories need to be setup for these systems has to be defined by the Linux admin/the hardware provider for SAP HANA.

My best guess is that you need to have a proper support contract for this SLES server - with that you can access the online update repositories for the SLES enterprise server updates.

- Lars

Hi Lars,

this is an AWS instance.

-- Micha

Sorry - no idea on how the SLES support is set up for those.

- Lars

Hi Micha,

some basic testing, can you resolve the hostname from your HANA host?

default-ec2-update.susecloud.net

depending on your SLES version you repository will be picked up if configured.

If your unable to resolve the hostname, then you have a DNS issue.

-Jochen

Hi Jochen,

no thank you, we have no DNS problem, I would know about it 🙂 No repository is configured:

# zypper repos

No repositories defined. Use the 'zypper addrepo' command to add one or more repositories.

There is just one service, to which we have no password:

# zypper ref -s

Refreshing service 'nu_novell_com'.

Authentication required for 'https://nu.novell.com/?credentials=NCCcredentials'

User Name: bc599208a29b4b92b33fe580ccb54edf

-- Micha

Hi Micha,

I'm using AWS, but used a cloud formation template to build HANA, see attached repo file

-Jochen

Hi Ryan

Could you please be more specific here?

What vulnerability are you referring to? Could you post a link to it?

Thanks

Lars

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Lars,

Below is a link from arstechnica:

The Bash vulnerability, now dubbed by some as "Shellshock," has been reportedly found in use by an active exploit against Web servers. Additionally, the initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to a new CERT alert. See Ars' latest report for further details, our initial report is below.

A google search will reveal more news on the vulnerability. We ran the test shown on our HANA system and it revealed the vulnerability.

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with...

Thanks for the details!

I will forward this one to the dev-colleagues.

However, as this is not SAP HANA specific, but as the article from arstechnica states "affects anything that runs *nix" this thread better fits into the forum.

Anyway - thanks again for pointing this out.

- Lars

Ask a Question

Top Q&A Solution Author

User

Count