Addressing Shellshock Vulnerability using BSA!

Version 6

    (Technical Post: Finding and PatchingShellshock (Bash vulnerability) audits with BSA, ADDM)

    (Max's Howto step-by-step: Checking Shellshock and Aftershock status on Linux )


    Update on 30th Sept 2014 -

    This posting now addresses CVE-2014-7169 and CVE-2014-6271.

    Adding zip file containing CT for CentOS.


    Attachment -  "CVE-2014-6271" Compliance Template (zip file).

    Attention! Attached template has both rules and remediation logic and works on following RHEL version as mentioned in the below table. Can be easily customized for other Linux OS variants!

    (1) Rules Checked -

    "CVE-2014-6271" Compliance Template will do following OS checks on the targets/hosts.

    1. Check the version of the bash as mentioned in the below table. AND
    2. Run $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" and check if the output contains “vulnerable” AND
    3. Check the change log of bash; if it contains the CVE-2014-6271 and CVE-2014-7169.

    Note: Ideally any only 1 or 3 checks are sufficient. But above template performs all checks.

    Table - bash packages which will get called by remediation logic for fixing  CVE-2014-6271” vulnerability per Red Hat recommendation.


    Product/ChannelFixed in package
    Red Hat Enterprise Linux 7bash-4.2.45-5.el7_0.2
    Red Hat Enterprise Linux 6bash-4.1.2-15.el6_5.1
    Red Hat Enterprise Linux 5bash-3.2-33.el5.1
    Red Hat Enterprise Linux 4bash-3.0-27.el4.2

    (2)Remediation Logic -


    Attention! This CT has a safe logic to only apply required/authorized bash packages as per RHEL recommendation.

    (3) Standard BSA Steps Admin should follow

    1. • Copy this template in your local drive – e.g. c:/temp
    2. Using RCP, Right click on the Component Template and  Import.
    3. Select import (use version neutral method).
    4. Your template with a name CVE-2014-6271 will be created  under folder CVE-2014-6271.
    5. Create and run the discovery job for the target of your choice (RHEL only)*
    6. Create and run Compliance Job using this template* -
    7. Job result view will show the non-compliant servers.
    8. Run the remediation job by right clicking the root node – Template node under Job Results View.
    9. After remediation job is over.
    10. Run the Compliance job again (Rescan).
    11. You should be now free for bash vulnerability.

    *  ==> User need to create and run  things mentioned in step 5 and 6.



    (4) Steps for customization of Compliance Template for using on Other Linux OS.


    Note: This CT is only for RHEL but it can act as a point to develop it for other OS.


    1. Open the template.
    2. Select the Compliance tab.
    3. Select the Folder – Check Bash Version.
    4. Open the rule.
    5. Edit it to point to your OS – say Cent OS.
    6. Edit the blpackage – remediation present in the rule’s 3 rd tab to point to the bash package.
    7. You are all set.


    Screenshot explaining - customization for Different OS using the supplied (5) attached Compliance Template

    Customizing the template for other OS.jpg
    Special Thanks to Siddharth Burle and his manager (Amit Rathi) for working on it  to make this available on late Friday evening time !