CA20141001-01: Security Notice for Bash Shellshock Vulnerability
Issued: October 01, 2014
Updated: February 17, 2015
CA Technologies is investigating multiple GNU Bash vulnerabilities, referred to as the "Shellshock" vulnerabilities, which were publicly disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 have been assigned to these vulnerabilities. These vulnerabilities could allow a local or remote attacker to utilize specially crafted input to execute arbitrary commands or code.
The CA Technologies Enterprise Information Security team has led a global effort to identify and remediate systems and products discovered with these vulnerabilities. We continue to patch our systems as fixes become available, and we are providing fixes for affected CA Technologies products.
CA Technologies continues to aggressively scan our environments (including servers, networks, external facing applications, and SaaS environments) to proactively monitor, identify, and remediate any vulnerability when necessary.
Android (not vulnerable, unless rooted)
Apple iOS (not vulnerable unless jailbroken)
Mac OS X
Windows (not vulnerable unless Cygwin or similar ported Linux tools with Bash shell are installed)
Other UNIX/BSD based systems if Bash is installed
Any other OS or JeOS that utilizes Bash
The following products have been identified as potentially vulnerable, and we have made fixes available for all of these products.
CA API Management (Linux appliance only)
CA Application Performance Management (TIM is the only affected APM component)
CA Application Performance Management Cloud Monitor
CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM)
CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management Portal)
CA Multi-Port Monitor (MTP) 2.2, 9.2, 10.0, 10.1
CA User Activity Reporting Module (Enterprise Log Manager)
CA Virtual Privilege Manager (formerly CMVE)
Note: This security notice will be updated if other CA Technologies products are determined to be vulnerable.
In most cases, the Bash vulnerabilities will need to be patched by OS vendors. Exceptions may include CA Technologies appliances, and software products that include Linux, UNIX or Mac OS X based operating systems (that include Bash).
IMPORTANT NOTE: This listing includes only a small subset of the unaffected CA Technologies products. We're including unaffected products that customers have already inquired about. While the following CA Technologies products are not directly affected by the Bash vulnerabilities, the underlying operating systems that CA Technologies software is installed on may be vulnerable. We strongly encourage our customers to follow the recommendations provided by their vendors for all operating systems they utilize.
All CA SaaS / On Demand products were either not vulnerable or have already been patched.
CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does not execute CGI scripts, or spawn or execute shell commands from within the app. AHS infrastructure already patched.
CA Asset Portfolio Management
CA Strong Authentication (Arcot WebFort)
CA Strong Authentication for Business Users
CA Strong Authentication for Consumers
CA Automation Point
CA AutoSys products - We use the bash shell that comes with the operating system and the customer is responsible for patching their OS. Additionally, the agents themselves do not distribute any scripts that use bash.
CA Clarity On Demand
CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or use it, but because we are deployed on RHEL, customers may be indirectly affected. Customers using RHEL should apply patches provided by Red Hat.
CA Console Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI.
CA Privileged Identity Manager
CA Data Protection (formerly CA DataMinder) products – Software and appliance confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH or Web apps are used in these agents. Customers should patch bash shell on any Linux server with DataMinder agents. DataMinder agents should continue to function normally.
CA Digital Payments SaaS (previously patched)
CA eCommerce SaaS / On Demand (previously patched)
CA Endevor Software Change Manager
CA Federation (formerly SiteMinder Federation)
CA Identity Governance
CA Identity Manager
CA Infrastructure Management
CA Job Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI.
CA NetQoS GigaStor Observer Expert
CA Network Flow Analysis
CA Unified Infrastructure Management
CA Unified Infrastructure Management Snap
CA Cloud Service Management
CA Performance Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI.
CA Risk Authentication
CA Service Desk Manager
CA Service Operations Insight (SOI)
CA Single Sign-On
CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes from your underlying operating system vendor.
CA Strong Authentication
CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI.
CA Top Secret
CA Transaction Manager (formerly PaymentMinder)
CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI.
CA Virtual Assurance for Infrastructure Managers (VAIM)
CA XCOM Data Transport
CA Technologies has issued the following fixes to address the vulnerabilities.
CA API Management:
Patches for Linux appliance are available through CA Support to customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0, 7.1, 8.0, 8.1, 8.1.1, 8.1.02).
CA Application Performance Management:
KB article for APM TIM has been published. APM TIM is the only part of APM that was affected. Refer to TEC618037.
CA Application Performance Management Cloud Monitor:
New images are available for subscribers. Download the latest OPMS version 220.127.116.11. For assistance, contact CA Support.
Use download server built into product to apply hotfixes hf9473 (2014-12-15), hf9472 (2014-11-14), and hf9470 (2014-11-03).
CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM):
Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do not use Bash at all for the CEM operating system that we have shipped in the past. This means that customers who patch the OS will not impact the ability of the CEM TIMsoft from operating. However prior to version 9.6, the TIM installation script does use the bash shell. See new KB article TEC618037 for additional information.
CA Layer 7 (API Gateway, Mobile Access Gateway and API Management Portal):
Fixes for all Bash vulnerabilities and a security bulletin are available on the Layer 7 Support website.
CA Multi-Port Monitor (MTP) 2.2, 9.2, 10.0, 10.1:
KB article and patch have been published. Refer to TEC618171.
CA User Activity Reporting Module (Enterprise Log Manager):
All 12.5 and 12.6 GA versions are potentially affected. Patches provided on 2014-09-30. To get the patch, use the OS update functionality to get the latest R12.6 SP1 subscription update. Note that you can update R12.5 SPx with the R12.6 SP1 OS update. For assistance, contact CA Support.
CA Virtual Privilege Manager (formerly CMVE):
Apply fix RO74454 to the Linux-based appliance.
To help mitigate the risk, we do strongly encourage all customers to follow patch management best practices, and in particular for operating systems affected by the Bash Shellshock vulnerabilities.
CVE-2014-6271 - Bash environment variable command injection
CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271
CVE-2014-7186 - Bash parser redir_stack memory corruption
CVE-2014-7187 - Bash nested flow control constructs off-by-one
CVE-2014-6277 - Bash untrusted pointer use uninitialized memory
CVE-2014-6278 - Bash environment variable command injection
v1.0: 2014-10-01, Initial Release
v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM, Clarity OD, All SaaS/OD products to list of Non-Affected Products.
v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated UARM solution info.
v1.3: 2014-10-06, Added Transaction Manager (PaymentMinder) to Non-Affected Products.
v1.4: 2014-10-06, Added Automation Point to Non-Affected Products.
v1.5: 2014-10-09, Added Virtual Privilege Manager (CMVE) to Affected Products, and added fix in Solution section. Added eHealth to Non-Affected Products.
v1.6: 2014-10-17, Removed Affected Components section, because we typically use that section only for CA-created Common Components. Listing of 3rd party components in this section has created some confusion for readers.
v1.7: 2014-10-20, Added XCOM Data Transport to list of Non-Affected Products. Added MTP to list of Affected Products and Solution sections.
v1.8: 2014-10-21, Added Nimsoft products to Non-Affected Products list.
v1.9: 2015-02-17, Added AppLogic hotfix information.
If additional information is required, please contact CA Technologies Support at https://support.ca.com.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at firstname.lastname@example.org.