Last Modified at 8:80AM CT, November 12, 2014
In reference to the Sept 25, 2014 disclosure of the GNU Bourne Again Shell (Bash) “ShellShock” vulnerabilities (CVE-2014-6271, CVE-2014-7169), BMC Software is currently investigating and assessing impact to our products and services as well as our own customer-facing portals.
BMC Software will communicate the results of our investigation and related remediation plans in this news article. Please bookmark this page, and check it periodically for the latest details. These vulnerabilities are known to currently affect only BMC products that embed the Linux operating system, so the overall breadth of exposure is considered to be minimal.
Please be aware that this bulletin will only track the BMC products that are affected by these vulnerabilities. This means that if a BMC Product is not listed, then we have determined that it is not vulnerable to CVE-2014-6271, CVE-2014-7169 directly.
We have identified that the following BMC Products and Services are affected by the ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169):
|Product / Service||Affected||Status||Notes|
|ADDM||Yes||Fix Available||Please see this item in the BMC Communities for patches and installation instructions|
|BMC Remedy OnDemand|
(Service suite includes hosted instances of:
BMC Footprints Asset Core)
|Yes||Patching Complete||The following BMC Remedy OnDemand service offerings have completed the patching process and will be continuously monitored for any future variations:|
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AUS
Public Sector - US
Public Sector - Federal
|CLM Rapid Deployment Stack||Yes||Fix Available||The effect of the Shellshock vulnerability on the CLM RDS is described in this blog post.|
CLM Rapid Deployment Stack (RDS) v.4.1 has been updated to include a patched version of the GNU bash.
Existing deployments of the RDS must be patched manually by following the instructions in this article from Redhat.
|BMC Application Management Console|
BMC Real End User Experience Hardware collector (1200 series)
BMC Real End User Experience Monitoring
BMC TrueSight End User Collector (4200 Series)
BMC TrueSight End User Monitor (all series)
|Yes||Fix Available||Please see this knowledge article for download and installation instructions|
|BMC Middleware and Transaction Management||Yes||Fix Available||GNU bash is included in a Cygwin distribution that is used to collect files to help resolve support cases related to the BMC Middleware Management solutions. A patched version of Cygwin is included in Hotfix 7.0.00.150.1AE that is available for download on BMC Electronic Product Distribution.|
BMC products are frequently installed in environments that include infrastructure components and or operating systems that embed the GNU Bourne Again Shell (Bash). Please check with the vendors of these components and operating systems to ensure they have been properly patched.