Tuesday, September 30, 2014

ShellShock – UNIX/Linux systems bash vulnerabilities, is SAP affected?

Earlier this year we all experienced a bug in OpenSSL called Heartbleed. Seems there is never enough security issue around and last week ShellShock appeared. The ShellShock is vulnerabilities (CVE-2014-6271 and CVE-2014-7169) in UNIX/Linux’s bash (GNU Bourne-Again Shell) shell.  The bash is command line shell used in many UNIX/Linux/Mac OS based operating systems. Flaw in there can potentially allow attacker execute shell commands. This can be achieved by attaching malicious code in environment variables used by the OS. To fix this patch for needs to be applied for specific OS. A vendor of particular OS needs to provide the patch and customers have to apply it.

In case of SAP as an application running on affected OS situation is as follows. As SAP has standardized its OS scripts on C Shell there should be an issue. However there might be customer’s script still bash based. Therefore a careful and thoroughful checks are advised to be performed.

Anyway SAP is still investigating what influence this vulnerability may have on its software. Therefore keep an eye on SAP Note below to receive up to data information from SAP about the issue.

More information:

2072994 - "ShellShock“ vulnerability (CVE-2014-6271)

No comments: