Solved: ShellShock Vulnerable products

konstantin.fatkulin · ‎10-06-2014

Hello

We have Cisci UCS blade servers B420 M3 serial : FCH1710J7JP

and the Fabric Interconnect : UCS-FI-6248UP

I need to know if those product are vulnerable for ShellShock

If they are vulnerable witch patch I need to install ?

djlundberg · ‎10-06-2014

Hi Konstantin-

Yep, your Fabric Interconnect is, and there is no patch released yet.

Here is the bug: https://tools.cisco.com/bugsearch/bug/CSCur01379

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Here is a link to the Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

DJ

View solution in original post

Tom MacDonald · ‎10-12-2014

Just an FYI a fix has been released (2.2(3b))......

Fixes will be available in the following upcoming releases:
3.0(1d) ==> ETA week of 10/13
2.2(3b) ==> released 10/9
2.2(2e) ==> ETA week of 10/13
2.2(1f) ==> ETA week of 10/13
2.1(3f) ==> ETA will be announced shortly
2.0(5g) ==> ETA will be announced shortly

All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.

The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.

https://tools.cisco.com/bugsearch/bug/CSCur01379

View solution in original post

djlundberg · ‎10-06-2014

Hi Konstantin-

Yep, your Fabric Interconnect is, and there is no patch released yet.

Here is the bug: https://tools.cisco.com/bugsearch/bug/CSCur01379

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Here is a link to the Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

DJ

konstantin.fatkulin · ‎10-06-2014

Do you know when the update suppose to release ?

djlundberg · ‎10-07-2014

Hi Konstantin-

I do not. Keep an eye on the bug that I referenced and it should be updated.

DJ

Tom MacDonald · ‎10-09-2014

They expect to have an update in the week starting 10/13/14.

Tom MacDonald · ‎10-12-2014

Just an FYI a fix has been released (2.2(3b))......

Fixes will be available in the following upcoming releases:
3.0(1d) ==> ETA week of 10/13
2.2(3b) ==> released 10/9
2.2(2e) ==> ETA week of 10/13
2.2(1f) ==> ETA week of 10/13
2.1(3f) ==> ETA will be announced shortly
2.0(5g) ==> ETA will be announced shortly

All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.

The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.

https://tools.cisco.com/bugsearch/bug/CSCur01379

konstantin.fatkulin · ‎10-18-2014

I have 2.2(1d)

I don't see that version on the list

does this version is fine - not need update ?

Tom MacDonald · ‎10-19-2014

All releases starting with the the first release 1.0(1e) are vulnerable.

You have 2.2(1b) so you have to upgrade to 2.2(1f) or any other version above that such as 2.2(2e), 2.2(3b) or 3.0(1d).....

ShellShock Vulnerable products

Workaround:The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Workaround:The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.