Bash "Shellshock" Vulnerabilities - CVE-2014-7169

PURPOSE

The purpose of this document is to list Oracle products that include the Bash program in their distribution, either directly or via inclusion of a component that includes Bash, and to document their current status with respect to the publicly disclosed vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278. For this document, these vulnerabilities will be referred to collectively as CVE-2014-7169.

Specifically, this document will list:  (1) Oracle products that are likely vulnerable to CVE-2014-7169 and have fixes available from Oracle, (2) Oracle products that are likely vulnerable to CVE-2014-7169 but for which no fixes are currently available, (3) Oracle products that do not include Bash in their distribution,  (4) Oracle products still under investigation, which may be vulnerable to CVE-2014-7169, and (5) Status for Oracle Cloud.

Oracle has assessed the impact of vulnerability CVE-2014-7169 only against product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy.  Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle. When product versions for a given product are not specifically listed in this document, it implies all those versions for that product which are currently supported by Oracle.

DETAILS

Background

Vulnerabilities affecting Bash were publicly disclosed. The Oracle Global Product Security and Development teams are investigating the inclusion of Bash in Oracle products and will provide mitigation instructions when available for these affected Oracle products. For additional details, see the Oracle Security Alert for CVE-2014-7169.

Below is the list of affected products and mitigation instructions as of April 08, 2015 at 05:15 PM Pacific.

1.0 Oracle products that are likely vulnerable to CVE-2014-7169 and have fixes currently available

Global Product Security has determined that the following 53 Oracle products have included in their distributions Bash versions that have been reported as vulnerable to CVE-2014-7169. Oracle has issued fixes for these products per the table below. Refer to the individual Patch Availability Documents for information regarding the specific CVEs addressed.

Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.

Patch Availability Table
Affected Products Patch Availability
Brocade Fiber Channel Switches and Management [Product ID 9864] MOS note 1938542.1
Cisco MDS Fiber Channel Switches and Management [Product ID 9865] MOS note 1950697.1
Exadata Storage Server [Product ID 2546] MOS note 1938719.1
Exalogic [Product ID 9415] MOS note 1929881.1
Oracle Audit Vault and Database Firewall [Product ID 9749] MOS note 1931021.1
Oracle Big Data Appliance [Product ID 9734] MOS note 1930758.1
Oracle CloudNet Gateway [Product ID 11158] MOS note 1932955.1
Oracle Communications Application Orchestrator [Product ID 11189] MOS note 1938778.1
Oracle Communications Application Session Controller [Product ID 10769] MOS note 1938391.1
Oracle Communications Diameter Intelligence Hub [Product ID 11126] MOS note 1938466.1
Oracle Communications Diameter Signaling Router [Product ID 10899] MOS note 1938466.1
Oracle Communications EAGLE Application Processor [Product ID 11122] MOS note 1938747.1
Oracle Communications Eagle LNP Provision System [Product ID 11118] MOS note 1938315.1
Oracle Communications Enterprise Trunk Manager [Product ID 10760] MOS note 1938778.1
Oracle Communications Interactive Session Recorder [Product ID 10765] MOS note 1938846.1
Oracle Communications Local Service Management System [Product ID 11114] MOS note 1937477.1
Oracle Communications Performance Intelligence Center Software [Product ID 11044] MOS note 1937383.1
Oracle Communications Policy Management [Product ID 10900] MOS note 1940612.1
Oracle Communications Service Broker Engineered System [Product ID 9056] MOS note 1931058.1
Oracle Communications Session Element Manager [Product ID 11052] MOS note 1938778.1
Oracle Communications Session Monitor [Product ID 10761] MOS note 1932068.1
Oracle Communications Session Report Manager [Product ID 10770] MOS note 1938778.1
Oracle Communications Session Route Manager [Product ID 10771] MOS note 1938778.1
Oracle Communications Subscriber Data Management [Product ID 10901] MOS note 1939971.1
Oracle Communications WebRTC Session Controller [Product ID 10811] MOS note 1938391.1
Oracle Database Appliance 12.1.2, 2.X [Product ID 9435] MOS note 888888.1
Oracle Database Firewall [Product ID 8958] MOS note 1931004.1
Oracle E-Business Suite [Product ID 1745] MOS note 1934250.1
Oracle Exalytics [Product ID 9736] MOS note 1930588.1
Oracle Fabric Interconnect [Product ID 10529] MOS note 1935857.1
Oracle Fusion Applications Lifecycle Management Tools - Provisioning [Product ID 5643] MOS note 1942282.1
Oracle Integrated Lights Out Manager and dependent products (including SPARC, Sun Blade, and Intel Xeon systems/servers) [Product ID 9849] MOS note 1938100.1
Oracle Key Manager 3 [Product ID 10052] MOS note 1996960.1
Oracle Key Vault [Product ID 10221] MOS note 1931880.1
Oracle Linux 4, 5, 6, 7 [Product ID 1309] MOS note 1930120.1
Oracle Solaris Operating System 8, 9, 10,11 [Product ID 10006] MOS note 1930090.1
Oracle SuperCluster [Product ID 10011] MOS note 1930608.1
Oracle Switch ES1-24 [Product ID 9889] MOS note 1940232.1
Oracle VM 2.2, 3.0, 3.1, 3.2, 3.3 [Product ID 4455] MOS note 1929782.1
PeopleSoft Enterprise PeopleTools [Product ID 5085] MOS note 1930515.1
Pillar Axiom 600 Storage System 4, 5 [Product ID 9504] MOS note 1942744.1
Pillar Axiom Replication Engine [Product ID 9590] MOS note 1951372.1
SPARC - OPL Service Processor (XCP) (SP software for SPARC M10-1/M10-4/M10-4S servers) [Product ID 10656] MOS note 1934739.1
SPARC M-Series XCP Firmware (SP software for SPARC M3000/M4000/M5000/M8000/M9000 servers) [Product ID 9845] MOS note 1940692.1
Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889] MOS note 1940232.1
Sun Data Center InfiniBand Switch 36 (NM2-36P) [Product ID 9886] MOS note 1938451.1
Sun Network 10GE Switch 72p [Product ID 9889] MOS note 1940232.1
Sun Network QDR InfiniBand Gateway Switch (NM2-GW) [Product ID 9885] MOS note 1938457.1
Sun ZFS Storage Appliance Kit [Product ID 10026] MOS note 1941524.1
Tape Virtual - Virtual Library Extension [Product ID 10116] MOS note 1940299.1
Tape Virtual VSM6 - Virtual Tape SubSystem (VSM4 and VSM5 do not include Bash) [Product ID 10117] MOS note 1953487.1
Tekelec HLR Router [Product ID 11047] MOS note 1940005.1
Virtual Compute Appliance [Product ID 10635] MOS note 1930502.1

2.0 Oracle products that are likely vulnerable to CVE-2014-7169 but for which no fixes are yet available

No products remain in this category.

3.0 Products That Do Not Include Bash

Global Product Security has determined that the following 199 Oracle products do not include Bash in their initial distribution (i.e., “out of the box”) and should therefore not be subject to CVE-2014-7169. No further action is therefore expected for these products. Note that the surrounding technical environment deployed around these products should be checked for the presence of other components that may include Bash and therefore be affected by this vulnerability.

  • Acme Packet 3820 [Product ID 10736]
  • Acme Packet 4500 [Product ID 10747]
  • Application Performance Management (Real User Experience Insight) [Product ID 9572]
  • Automatic Service Request [Product ID 9042]
  • Enterprise Manager Cloud Control and Plugins [Product ID 9579]
  • Enterprise Manager Ops Center [Product ID 9835]
  • Glassfish Server [Product ID 8493]
  • Hyperion (all products) [Product ID many]
  • InfiniBand Embedded Management Software platform ind [Product ID 9876]
  • Infiniband Express Module [Product ID 9878]
  • InfiniBand Hardware [Product ID 9877]
  • Instantis Enterprise Track [Product ID 10563]
  • Java ME - Blu-ray and TV [Product ID 9319]
  • Java ME - Embedded [Product ID 9326]
  • Java ME - JavaCard [Product ID 9328]
  • Java ME - JSRs and Options [Product ID 9322]
  • Java ME - Mobile and Wireless [Product ID 9327]
  • Java ME - Special Projects [Product ID 9325]
  • Java ME - Specifications [Product ID 9324]
  • Java ME - TCKs [Product ID 9323]
  • Java SE [Product ID 856]
  • JDEdwards EnterpriseOne and JDEdwards World [Product ID 4585]
  • Legacy Sun InfiniBand switches [Product ID 9883]
  • Linear Tape File System Library Edition (LTFSLE) [Product ID 10259]
  • MySQL Cluster [Product ID 8479]
  • MySQL Connector/ODBC [Product ID 8576]
  • MySQL Enterprise Backup [Product ID 4629]
  • MySQL Enterprise Monitor [Product ID 8480]
  • MySQL Fabric [Product ID 11200]
  • MySQL Server [Product ID 8478]
  • MySQL Utilities [Product ID 11262]
  • MySQL Workbench [Product ID 4627]
  • Net-Net Diameter Director [Product ID 10756]
  • Netra High Availability Suite [Product ID 9999]
  • OC4J [Product ID 1270]
  • Oracle Access Manager [Product ID 5565]
  • Oracle Advanced Lights Out Manager [Product ID 9843]
  • Oracle API Gateway [Product ID 9195]
  • Oracle Application Access Controls Governor [Product ID 4527]
  • Oracle Application Express [Product ID 1348]
  • Oracle Application Object Library [Product ID 510]
  • Oracle Applications DBA [Product ID 166]
  • Oracle Business Intelligence Enterprise Edition [Product ID 2025]
  • Oracle Business Intelligence Standard Edition (Discoverer) [Product ID 964]
  • Oracle Business Process Management Suite [Product ID 5325]
  • Oracle Business Transaction Management [Product ID 8564]
  • Oracle Communications AIA PIPs (Integration Packs) [Product ID 4341-3,8390-92,5647,10671-2,10674]
  • Oracle Communications Application Management Pack [Product ID 10685]
  • Oracle Communications ASAP [Product ID 2260]
  • Oracle Communications Billing and Revenue Management [Product ID 2136]
  • Oracle Communications Border Gateway [Product ID 10751]
  • Oracle Communications BRM Elastic Charging Engine [Product ID 9742]
  • Oracle Communications Calendar Server [Product ID 8494]
  • Oracle Communications Configuration Management [Product ID 2268]
  • Oracle Communications Contacts Server [Product ID 10696]
  • Oracle Communications Converged Application Server [Product ID 5382]
  • Oracle Communications Convergence [Product ID 8501]
  • Oracle Communications Delegated Administrator [Product ID 8505]
  • Oracle Communications Design Studio [Product ID 2283]
  • Oracle Communications EAGLE [Product ID 10768]
  • Oracle Communications EAGLE Element Management System [Product ID 11125]
  • Oracle Communications EAGLE FTP Table Base Retrieval [Product ID 11116]
  • Oracle Communications Internet Name and Address Management [Product ID 2262]
  • Oracle Communications IP Service Activator [Product ID 2261]
  • Oracle Communications Messaging Server [Product ID 8496]
  • Oracle Communications Network Charging and Control [Product ID 4623]
  • Oracle Communications Network Integrity [Product ID 4491]
  • Oracle Communications Offline Mediation Controller [Product ID 2269]
  • Oracle Communications Order and Service Management [Product ID 2270]
  • Oracle Communications Pricing Design Center [Product ID 9437]
  • Oracle Communications Security Gateway [Product ID 10755]
  • Oracle Communications Session Border Controller [Product ID 10750]
  • Oracle Communications Session Director (NN9200) [Product ID None]
  • Oracle Communications Session Router [Product ID 10752]
  • Oracle Communications Subscriber-Aware Load Balancer [Product ID 10766]
  • Oracle Communications Tunneled Session Controller [Product ID 10759]
  • Oracle Communications Unified Inventory Management [Product ID 4516]
  • Oracle Configuration Manager [Product ID 1967]
  • Oracle Data Integrator [Product ID 2196]
  • Oracle Database [Product ID 5]
  • Oracle Database Migration Assistant for Unicode [Product ID 2550]
  • Oracle Directory Server Enterprise Edition [Product ID 8512]
  • Oracle Enterprise Communications Broker [Product ID 10758]
  • Oracle Enterprise Data Quality [Product ID 9464]
  • Oracle Enterprise Manager Database Control [Product ID 1366]
  • Oracle Enterprise Manager for MySQL Database [Product ID 11166]
  • Oracle Enterprise Manager for Storage Management [Product ID 10303]
  • Oracle Fabric Manager [Product ID 10477]
  • Oracle Financial Services Revenue Management & Billing [Product ID 5322]
  • Oracle Forms [Product ID 45]
  • Oracle Fusion Applications Lifecycle Management Tools - Patching/Upgrade [Product ID 5720]
  • Oracle Fusion Applications Lifecycle Management Tools - Utilities [Product ID 2358]
  • Oracle GoldenGate [Product ID 5757]
  • Oracle Health Insurance [Product ID 9374]
  • Oracle Health Insurance Claims [Product ID 10296]
  • Oracle Health Insurance Claims Management [Product ID 9307]
  • Oracle Health Insurance Claims Management Web Services [Product ID 9311]
  • Oracle Health Insurance Claims Pricing [Product ID 10295]
  • Oracle Health Insurance Commissions [Product ID 10557]
  • Oracle Health Insurance Disbursements and Collections [Product ID 9308]
  • Oracle Health Insurance Long Term Care [Product ID 9394]
  • Oracle Health Insurance Policy Administration [Product ID 9306]
  • Oracle Health Insurance Policy Administration Web Services [Product ID 9310]
  • Oracle HTTP Server [Product ID 1042]
  • Oracle Identity Analytics [Product ID 8522]
  • Oracle Identity Federation [Product ID 1741]
  • Oracle Identity Manager [Product ID 1980]
  • Oracle Identity Manager Connector [Product ID 1999]
  • Oracle Internet Directory [Product ID 355]
  • Oracle iPlanet Web Proxy Server [Product ID 8542]
  • Oracle iPlanet Web Server [Product ID 8543]
  • Oracle JDeveloper [Product ID 807]
  • Oracle Media Intellectual Property Management [Product ID 5783]
  • Oracle Mobile Security Suite [Product ID 10913]
  • Oracle OpenSSO and OpenSSO Web and J2EE Policy Agent [Product ID 8520]
  • Oracle Policy Automation [Product ID 5624]
  • Oracle QDR InfiniBand Adapter M3 [Product ID 10636]
  • Oracle Reports Developer [Product ID 159]
  • Oracle REST Data Services [Product ID 9456]
  • Oracle Retail Advanced Clustering [Product ID 10868]
  • Oracle Retail Advanced Inventory Planning [Product ID 1785]
  • Oracle Retail Allocation [Product ID 1786]
  • Oracle Retail Assortment and Space Optimization [Product ID 11090]
  • Oracle Retail Assortment Planning [Product ID 1788]
  • Oracle Retail Back Office [Product ID 2013]
  • Oracle Retail Category Management [Product ID 1787]
  • Oracle Retail Central Office [Product ID 2016]
  • Oracle Retail Demand Forecasting [Product ID 1800]
  • Oracle Retail Integration Bus [Product ID 1807]
  • Oracle Retail Item Planning [Product ID 1811]
  • Oracle Retail Merchandise Financial Planning [Product ID 1814]
  • Oracle Retail Modeling Engine [Product ID 10511]
  • Oracle Retail Point-of-Service [Product ID 2017]
  • Oracle Retail Predictive Application Server [Product ID 1823]
  • Oracle Retail Predictive Application Server Fusion Client [Product ID 1823]
  • Oracle Retail Regular Price Optimization [Product ID 4658]
  • Oracle Retail Replenishment Optimization [Product ID 1829]
  • Oracle Retail Returns Management [Product ID 2020]
  • Oracle Retail Size Profile Optimization [Product ID 4670]
  • Oracle Retail Warehouse Management System [Product ID 1847]
  • Oracle Secure Backup [Product ID 1522]
  • Oracle Secure Global Desktop 4, 5 [Product ID 8539]
  • Oracle Service Bus [Product ID 5308]
  • Oracle SOA Suite [Product ID 1162]
  • Oracle Solaris Cluster [Product ID 10005]
  • Oracle StorageTek Linear Tape File System (LTFS) [Product ID 10564]
  • Oracle Transportation Management [Product ID 1991]
  • Oracle Unified Directory [Product ID 9118]
  • Oracle Virtual Desktop Infrastructure 3.3 to 3.5 [Product ID 8540]
  • Oracle Virtual Directory [Product ID 1978]
  • Oracle VM VirtualBox [Product ID 8370]
  • Oracle Waveset [Product ID 8518]
  • Oracle Web Cache [Product ID 1059]
  • Oracle Web Service [Product ID 1271]
  • Oracle Webcenter Portal [Product ID 1696]
  • Oracle Weblogic Server [Product ID 5242]
  • Quad Gigabit Ethernet PCI-x NIC [Product ID 9890]
  • Service Delivery Platform [Product ID 2063]
  • Siebel CRM (all included products)
  • Sleipnir InfiniBand Switch [Product ID 9892]
  • Solaris Preflight Application Checker [Product ID 9992]
  • StorageTek T10000A Tape Drive [Product ID 10077]
  • StorageTek T10000B Tape Drive [Product ID 10078]
  • StorageTek T10000C Tape Drive [Product ID 10079]
  • StorageTek T10000D Tape Drive [Product ID 10080]
  • StorageTek Tape Analytics [Product ID 10085]
  • StorageTek VM Client [Product ID 9293]
  • Sun DCS 684 QDR switch 4X port [Product ID 9895]
  • Sun Java Composite Application Platform Suites (CAPS) [Product ID 8528]
  • Sun QFS and Storage Archive Manager [Product ID 10021]
  • Sun Ray Operating Software (SROS) [Product ID 9211]
  • Sun Ray Software 5.x [Product ID 8242]
  • Sun Schema Runtime Environment (SRE) [Product ID 8532]
  • Sun Storage 25x0-M2 Array [Product ID 10053]
  • Sun Storage 5xx0 NAS [Product ID 10054]
  • Sun Storage 6180 Array [Product ID 10055]
  • Sun Storage 6540 Array [Product ID 10056]
  • Sun Storage 6x80 Array [Product ID 10057]
  • Sun Storage Common Array Manager [Product ID 10024]
  • Sun StorageTek 2500 Array [Product ID 10066]
  • Sun StorageTek 6140 Array [Product ID 10067]
  • Sun StorageTek Client System Component for MVS [Product ID 10098]
  • Sun StorageTek Enterprise Library Software [Product ID 10098]
  • Sun StorageTek Expert Library Manager [Product ID 10111]
  • Sun StorageTek Expert Performance Reporter (ExPR) [Product ID 10082]
  • Sun StorageTek Ext Hi Perf Data Mover (ExHPDM) [Product ID 10110]
  • Sun StorageTek Host Software Component (HSC) [Product ID 10098]
  • Sun StorageTek HTTP Server [Product ID 10112]
  • Sun StorageTek Library Station Software [Product ID 10098]
  • Sun StorageTek Lifecycle Director [Product ID 10113]
  • Sun StorageTek Storage Management Component [Product ID 10098]
  • Sun StorageTek Tape Library ACSLS [Product ID 10088]
  • Sun StorageTek Virtual Storage Manager (VSM) GUI [Product ID 10118]
  • Sun StorageTek Virtual Tape Control Software [Product ID 10119]
  • Tape General LTFS LE - Linear Tape File System Library Edition [Product ID 10084]
  • Tape Libraries L1400, L700, L180 [Product ID 10097]
  • Tape Libraries SL3000, SL500, SL150, SL24/SL48 (OEM from HP), SL8500, IBM LTO, HP LTO
  • Tape Virtual CDRT - Concurrent Disaster Recovery Test [Product ID 10109]
  • WebCenter Content [Product ID 2271]

4.0 Products under investigation for inclusion of Bash

Global Product Security is not investigating any additional products for inclusion of Bash to determine if they might be subject to CVE-2014-7169.

5.0 Oracle Cloud

Oracle is aware of vulnerability CVE-2014-7169 (and all related Bash vulnerabilities which have been publicly disclosed). Oracle is investigating these issues and continues to provide fixes for affected products and services as soon as these fixes have been fully tested and determined to provide effective mitigation.

Oracle Cloud teams are currently implementing relevant patches when they become available and in accordance with applicable change management processes.

For More Information:

  • Oracle Managed Cloud Services (OMCS) Customers should contact their Service Delivery Manager (SDM). CRMOD customers should request status via SR.
  • Oracle Cloud for Industry (OCI) and Micros Cloud Customers should contact gbu-risk-compliance-resp_ww@oracle.com.
  • Oracle Public Cloud (OPC) Customers should submit a Service Request within their designated support system to request an update which is specific to the services they've purchased.