SUSE SLE vulnerability with GNU Bash Remote Code Execution (aka ShellShock)
This document (7015702) is provided subject to the disclaimer at the end of this document.
- SUSE Linux Enterprise Server 11 SP2 LTSS
- SUSE Linux Enterprise Server 11 SP1 LTSS
- SUSE Linux Enterprise Server 10 SP4 LTSS
- SUSE Linux Enterprise Server 10 SP3 LTSS
- SUSE Linux Enterprise Software Development Kit 11 SP3
- SUSE Linux Enterprise Desktop 11 SP3
- SUSE Linux Enterprise Server 11 SP3
- SUSE Linux Enterprise Server 11 SP3 for VMware
- SLES Expanded Support platform release 6.5
- SLES Expanded Support platform release 5.10
1. Updating your entire system with the latest system updates:
To make sure that you have the patches relative to these issues, update the complete system to the latest patch level (preferred option) by running the following commands from a terminal, after verifying that you have your patch channels configured:
- zypper ref -s
- zypper up
SUSE recommends that you always apply updates and consider running
the latest version.
You can verify your current version by typing at a command prompt:
For more information on how to upgrade can be found in TID 7012368.
2. Apply only the latest bash patches
If you prefer to update only the bash patches, use the following commands:
- zypper ref -s
- zypper up bash
3. Updating an Expanded Support Platform
In case of SLES Expanded Support platform:
- yum update
4. Applying CVE related fixes if you don't have LTSS maintenance:
Due to the nature of this issue, it was decided that patches would be
made available to active subscription customers who don't have an LTSS
agreement and are on SLES10SPx and SLES11SP1/SP2. Some patches have already been released on (details below): https://download.suse.com/patch/finder/
If you can not find the downloads for your OS version please contact Customer Support.
Note: On Patchfinder you need to select the LTSS equivalent of your product. For example if you are on SLES 10 SP3, you will need to search under SLES 10 SP3 LTSS to find the patch. Your current SLES entitlement will allow access to these files.
All downloads are available HERE.
Access to LTSS repositories requires additional subscriptions not covered by general maintenance.
Refer to TID 7011670 for further help on how to add LTSS repositories once a subscription as been acquired
If you would like to know how to purchase LTSS should you need to remain on an old version, you can contact sales. Please find information on the LTSS Program at https://www.suse.com/support/programs/long-term-service-pack-support.html
Further information regarding these security issues can be found here:
Please note that the exploit test of CVE-2014-6277 mentioned on "shellshocker.net" is NOT valid for SLES systems that have been patched. The segmentation fault is certainly not nice, but note that the function was defined in the shell itself, not passed via an environment variable. Bugs in the evaluation code are not mitigated by the hardening patch, but they no longer have the potential to be abused.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7015702
- Creation Date:26-SEP-14
- Modified Date:09-OCT-14
- SUSESUSE Linux Enterprise DesktopSUSE Linux Enterprise ServerSUSE Linux Enterprise Software Development Kit