Dear Abiquo customer,
You will have read about the "Shellshock" vulnerability to the Bash shell. We would like to reassure you that none of the services usually exposed to the internet in an Abiquo installation (Tomcat / Apache serving API, the Web ui, m and am) are vulnerable to this.
Nonetheless, we recommend that you patch the Bash shell on your Abiquo servers to ensure that they cannot be exploited from any other device on the inside of your network.
Abiquo 3.0 or higher
We updated our repo with the released package from Centos with the bug fix for cve-2014-6271 & cve-2014-7169. To install the fix just run a "yum update bash bash-docs". No server restart will be required. If you have your own repository from which you update Abiquo, please make these packages available through your own repo.
Abiquo 2.6.x or lower
As these versions are based on Centos 5 and the package management is different, you will need to download the bash package manually and install it.
wget http://mirror.centos.org/centos-5/5.10/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm
yum install bash-3.2-33.el5.1.x86_64.rpm
rm bash-3.2-33.el5.1.x86_64.rpm
To verify if you are vulnerable or not, run this command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
You will see vulnerable in your bash if the issue is present. Vulnerable or not you will see this is a test
If you have any further questions, please contact Abiquo support.
0 Comments