Abiquo and Shellshock

Dear Abiquo customer,

You will have read about the "Shellshock" vulnerability to the Bash shell. We would like to reassure you that none of the services usually exposed to the internet in an Abiquo installation (Tomcat / Apache serving API, the Web ui, m and am) are vulnerable to this. 

Nonetheless, we recommend that you patch the Bash shell on your Abiquo servers to ensure that they cannot be exploited from any other device on the inside of your network.

Abiquo 3.0 or higher

We updated our repo with the released package from Centos with the bug fix for  cve-2014-6271 & cve-2014-7169. To install the fix just run a "yum update bash bash-docs". No server restart will be required. If you have your own repository from which you update Abiquo, please make these packages available through your own repo.

 

Abiquo 2.6.x or lower

As these  versions are based on Centos 5 and the package management is different, you will need to download the bash package manually and install it.

 

    wget http://mirror.centos.org/centos-5/5.10/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm

    yum install bash-3.2-33.el5.1.x86_64.rpm

    rm bash-3.2-33.el5.1.x86_64.rpm

 

To verify if you are vulnerable or not, run this command:

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

You will see vulnerable in your bash if the issue is present. Vulnerable or not you will see this is a test


If you have any further questions, please contact Abiquo support.

0 Comments

Please sign in to leave a comment.