on 09-25-2014 9:44 PM
From testing our 1.00 SP81 system from HP it appears that the version of Linux has this latest vulnerability. Has there been any news from SAP about this? We are contacting HP support to see how to proceed but I thought I would post this as others may want to check into this. It seems like a very severe vulnerability.
The same news reached our platform team as well. Now to be safe they are updating the servers.
Regards,
Krishna Tangudu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here is the security advisory from Novell/SUSE:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ryan,
just received info from my colleagues in the SAP Linux Labs:
>>> patches are already available, please see
>>>
>>> http://support.novell.com/security/cve/CVE-2014-0475.html
>>>
>>> SUSE Linux Enterprise Server 11 SP3:
>>> zypper in -t patch slessp3-bash-9740
>>>
>>> SUSE Linux Enterprise Server 11 SP2 LTSS:
>>> zypper in -t patch slessp2-bash-9736
>>>
>>> SUSE Linux Enterprise Server 11 SP1 LTSS:
>>> zypper in -t patch slessp1-bash-9738
>>>
>>>
>>> Red Hat Enterprise Linux 6.5
>>> yum update bash-4.1.2-15.el6_5.1
regards,
Lars
Hi everyone,
Do note that the fix provided in patch 9740/9736/9738 for bash on SuSE is not a full patch. It prevents the immediate severe bug [1], but exposes another [2] related vulnerability. Apply the patch right away, but please keep monitoring the Novell advisories.
Ninad
[1] - http://support.novell.com/security/cve/CVE-2014-6271.html
[2] - CVE-2014-7169
When I try this on our Hana v70 instance, I get
Refreshing service 'susecloud'.
Warning: No repositories defined. Operating only with the installed resolvables. Nothing can be installed.
Loading repository data...
Reading installed packages...
'slessp2-bash-9736' not found in package names. Trying capabilities.
No provider of 'patch:slessp2-bash-9736' found.
Resolving package dependencies...
Nothing to do.
Obviously, no repositories are defined on that machine. Can you please specify what to do in that case? Thanks.
Cheers,
-- Micha
Hi Micha,
I was not successful with that command either, but the following commands helped me:
zypper list-patches | grep bash
zypper search -t patch slessp3-bash
Remove the patch number at the end, and you will see a list of patches (I was testing on a SP3 box, hence the sp3 above). Installing those patches should also be similar, please check the SuSE documentation!
Hi Micha,
sorry - but what repositories need to be setup for these systems has to be defined by the Linux admin/the hardware provider for SAP HANA.
My best guess is that you need to have a proper support contract for this SLES server - with that you can access the online update repositories for the SLES enterprise server updates.
- Lars
Hi Jochen,
no thank you, we have no DNS problem, I would know about it 🙂 No repository is configured:
# zypper repos
No repositories defined. Use the 'zypper addrepo' command to add one or more repositories.
There is just one service, to which we have no password:
# zypper ref -s
Refreshing service 'nu_novell_com'.
Authentication required for 'https://nu.novell.com/?credentials=NCCcredentials'
User Name: bc599208a29b4b92b33fe580ccb54edf
-- Micha
Hi Ryan
Could you please be more specific here?
What vulnerability are you referring to? Could you post a link to it?
Thanks
Lars
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Lars,
Below is a link from arstechnica:
The Bash vulnerability, now dubbed by some as "Shellshock," has been reportedly found in use by an active exploit against Web servers. Additionally, the initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to a new CERT alert. See Ars' latest report for further details, our initial report is below.
A google search will reveal more news on the vulnerability. We ran the test shown on our HANA system and it revealed the vulnerability.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.