Flash (Alert)

Abstract

IBM HTTP Server and WebSphere Application Server are not vulnerable to CVE-2014-6271 or CVE-2014-7169 Bash vulnerability as shipped out of the box.

Content

CVE-2014-6271 and CVE-2014-7169 vulnerabilities (also called Shellshock) affects Bash that is delivered in Unix platforms. Fixes for Bash will come from Unix distribution. IBM HTTP Server (IHS) does not ship any CGI scripts and therefore is not vulnerable but if you have added a bash-based CGI script to the IHS, you may be vulnerable to a remote attack.
If you have added CGI scripts to IHS, and those CGI scripts or any executable they transitively call is interpreted by bash, than the system is affected.

By default, mod_cgid/mod_cgi is looking for CGIs in IHSROOT/cgi-bin/ which is shipped empty. Other directories can be added with ScriptAlias or the “ExecCGI” Options argument — these could appear in httpd.conf, an Include’ed file, or in an .htaccess file so it would be error prone to try to find all possible CGI’s if not intimately familiar with the system.

REMEDIATION:

CVE-2014-6271 was an incomplete fix, at this point CVE-2014-7169 is not available from operating system vendors. Until this is available, we recommend that you disable all CGI and only re-enable when a complete bash fix is present or you can audit your scripts to ensure there is not a transitive call interpreted by bash.

If you are vulnerable IBM highly recommends that you upgrade bash from your operating system vendor. After bash has been upgraded, a longer term investigation into whether you were running affected scripts is suggested.

We recommend upgrading your bash, if you do not upgrade your bash, then ensuring none of the following modules are loaded is the most direct way to prevent any kind of CGI from running: mod_cgid, mod_cgi and mod_fastcgi.

Change History:

25 September 2014: original document published