3

Saw this post here. Logged into my Solaris server in ssh and tried patchadd 19689293 and it just says it cannot find the patch.

200_success
  • 4,771
  • 1
  • 25
  • 42
Billy
  • 163
  • 1
  • 1
  • 5
  • While you definitely need to update bash, many remote exploits depend on bash as `/bin/sh`, which has never been the default for any version of Solaris. Any service that actually calls `bash` somehow will still be vulnerable if it does not sanitize its environment. – Henk Langeveld Sep 27 '14 at 09:58

3 Answers3

2

Have you downloaded the patches from MOS? If not go search and download both the prereq patch and then the actual bash fix, then unzip them somewhere then do the following; this is for Sparc, use the others listed in the linked post for x86:

patchadd path/to/prereq/unzip/126546-05

Then do this:

patachadd path/to/fix/unzip/19689287

That's what I did on all my Solaris boxes this morning and it worked.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Fegnoid
  • 540
  • 2
  • 4
  • Is there a way to download the patches without having a support subscription? – Billy Sep 29 '14 at 05:57
  • Unfortunately no, you can try request the patches without having one from them. But they will probably say buy a subscription – Fegnoid Sep 29 '14 at 07:50
1

Latest word I have is that the patches are not yet available. This patch number should retrieve the patch when it is available.

RedHat has released a patch which partially resolves the problem. They will be releasing a full patch when it is available. Review their notes on Bash Code Injection Vulnerabilities.

In the meantime, evaluate your risk profile and take steps to reduce your risk.

EDIT: Ubuntu released the update and my servers were patched this morning. Patches for other platforms should also be available now.

This patch does not require a reboot or other outage, so be safe and patch now.

Review of my access log shows three probes for ShellShock, all of which looked like survey probes. One may have been malicious as it targeted a known vulnerable CGI script, but it used the same ping home payload.

EDIT2: As per the comment, the patch is now available.

Giacomo1968
  • 3,542
  • 27
  • 38
BillThor
  • 27,737
  • 3
  • 37
  • 69
  • 1
    They are now - see https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169 – alanc Sep 27 '14 at 04:31
1

I downloaded for Solaris 10 Sparc: 126545-05 and p19689287 and unzipped the files which in turn gave me 126546-05 and IDR151577-01. I then did patchadd /tmp/126546-05, then patchadd /tmp/IDR151577-01. To check I ran the Redhat test of: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Hope this helps someone.

squillman
  • 37,883
  • 12
  • 92
  • 146
user245320
  • 11
  • 1