Security advisory: CVE-2014-6271 CVE-2014-7169 Shell Shock Vulnerability

 

Overview

 

This document addresses the impact on Aspera products of the bash vulnerabilities CVE-2014-6271   CVE-2014-7169  “Shell Shock” reported Sep 25th 2014.

 

References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

 

Affected Products

 

Aspera Connect Server         

Linux, Mac, Solaris, FreeBSD, Isilon

AFFECTED ONLY IF USING THE “DIRECTORY LISTING” USER INTERFACE FEATURE


NO OTHER FEATURES AFFECTED


The bash shell component affected is not part of the Aspera package but it affects the functionality of the Aspera Connect Server “directory listing” feature on Unix platforms.


IMMEDIATE ACTION REQUIRED


Upgrade your Unix OS to include fixes for CVE-2014-6271 and CVE-2014-7169

For example on CentOS/RedHat Linux variants run:

 yum update bash

For Mac OSX refer to this article: https://support.asperasoft.com/entries/100533883


HOW TO TEST IF YOU ARE AFFECTED

See test procedure information below

Aspera Connect Server          Windows

NOT AFFECTED

Aspera Enterprise Server

NOT AFFECTED


ACTION REQUIRED

For good practice we advise you upgrade your Unix OS to include fixes for CVE-2014-6271 and CVE-2014-7169


For example on CentOS/RedHat Linux variants run:

 yum update bash

For Mac OSX refer to this article: https://support.asperasoft.com/entries/100533883

Aspera Console

Aspera Faspex

Aspera Shares

Aspera Orchestrator

NOT AFFECTED


ACTION REQUIRED

For good practice we advise you upgrade your Unix OS  to include fixes for CVE-2014-6271 and CVE-2014-7169

Aspera OnDemand for Amazon

NOT AFFECTED FOR OUT OF THE BOX USE


The DIRECTORY LISTING USER INTERFACE feature that uses bash  is present on Aspera OnDemand images but is disabled by default.  The product is only affected if customers manually enabled this feature.


ACTION REQUIRED

For good practice we advise you upgrade your OS to include fixes for CVE-2014-6271 and CVE-2014-7169

For example on CentOS/RedHat Linux variants run:

 yum update bash

For Mac OSX refer to this article: https://support.asperasoft.com/entries/100533883

Aspera OnDemand for Azure, Softlayer, Google Cloud

NOT AFFECTED


ACTION REQUIRED

If you are running your own cloud instance, for good practice we advise you upgrade your Unix OS  to include fixes for CVE-2014-6271 and CVE-2014-7169

For example on CentOS/RedHat Linux variants run:

 yum update bash

For Mac OSX refer to this article: https://support.asperasoft.com/entries/100533883

 

Aspera client products


Client, Connect, Drive, Cargo, Outlook Plugin

NOT AFFECTED


NO ACCESS REQUIRED



How to test if your Connect Server “directory listing” application is vulnerable

 

This test requires “curl” and can be executed on the command line on Windows or Unix systems.

You need the following information:

  • the URL to your Connect Server “directory listing” site (for example: http://demo.asperasoft.com/aspera/user/)

  • a valid user and password for Connect Server (replace the below USER:PASSWORD text with the real user name and password)

 

curl -u USER:PASSWORD -i -X HEAD "http://demo.asperasoft.com/aspera/user/" -A '() { :;}; echo VULNERABLE>/tmp/VULNERABLE'

 

After running this command if you see a file called /tmp/VULNERABLE on your server, your server is affected by the vulnerability.



Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk