Axway SecureTransport ShellShock Vulnerability Patches

Document version: 7 October 2014

This readme applies to SecureTransport 4.9.2 SP2, 5.1 SP3, 5.2.1 SP4. This patch installs and operates on the following platforms and installation types only:

Platforms: Windows
Installation type: SecureTransport Server and Edge
Database:All databases
Cluster type: All cluster types

The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.

File Package: bash.exe

MD5 checksum: 67a916d172d241566e2a41360b662fa8

Size: 610304

Corrections
Updating to Bash 3.2.57
Removing Bash 3.2.57
Contacting Axway Global Support

Corrections

Bash 3.2.57 provides the following corrections and enhancements:

CVE Identifiers	Internal ID	Description
Initial report CVE-2014-6271	134071,134072	The original form of the vulnerability involved a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function. The bug was corrected with a patch to the program. However, after the release of the patch there were subsequent reports of different, yet related vulnerabilities.
CVE-2014-6277	134071,134072	This relates to the parsing of function definitions in environment variables by Bash and causes a segfault.
CVE-2014-6278	134071,134072	This relates to the parsing of function definitions in environment variables by Bash.
CVE-2014-7169	134071,134072	This relates to the parsing of function definitions in environment variables by Bash.
CVE-2014-7186	134071,134072	This relates to an out-of-bounds memory access error in the Bash parser code.
CVE-2014-7187	134071,134072	This relates to an off-by-one error, allowing out-of-bounds memory access, in the Bash parser code.

Top

Updating SecureTransport application to Bash 3.2.57

In a streaming environment, stop all of the protocol servers and services on all of the SecureTransport Edge servers before you start applying the patch. Update the SecureTransport Server first and then update of the SecureTransport Edge servers.

In a cluster environment, apply the patch to the nodes one at a time. Stop all of the protocol servers and services on a node before you start applying the patch. After a node is upgraded, start all SecureTransport services and proceed with the upgrade of the next node in the cluster.

For UNIX-based platforms and Axway Appliances

This patch applies for Windows platform only.

For Microsoft Windows using console mode

To update SecureTransport application to Bash 3.2.57 on Windows, follow the steps below where:

<FILEDRIVEHOME> represents the directory where SecureTransport is installed
Make sure that you have full backup of your SecureTransport installation.
To back up your preceding SecureTransport installation, follow the backup procedure in SecureTransport 5.2.1 Installation Guide.
Stop all SecureTransport services using the <FILEDRIVEHOME>\bin\stop_all command.
Verify there are no running SecureTransport processes and there are no files in the <FILEDRIVEHOME>\var\run\ directory.
Make sure the Cygwin console and all Cygwin tools, including the Cygwin cron service, are closed. Check the Users tab in the Windows Task Manager to make sure no one else is using Cygwin. If necessary, close the Cygwin console and tools manually.
After completing the above steps download the new bash.exe and verify its MD5 sum. Overwrite the current bash.exe under <FILEDRIVEHOME>\cygwin\bin with the new one.
When completed, start all SecureTransport services using the <FILEDRIVEHOME>\bin\start_all command.

Top

Removing Bash 3.2.57

For Microsoft Windows

To remove Bash 3.2.57 on Windows, follow the steps below where:

<FILEDRIVEHOME> represents the directory where SecureTransport is installed
Stop all SecureTransport services using the <FILEDRIVEHOME>\bin\stop_all command.
Verify there are no running SecureTransport processes and there are no files in the <FILEDRIVEHOME>\var\run\ directory.
Make sure the Cygwin console and all Cygwin tools, including the Cygwin cron service, are closed. Check the Users tab in the Windows Task Manager to make sure no one else is using Cygwin. If necessary, close the Cygwin console and tools manually.
Navigate to the backup taken and extract the <FILEDRIVEHOME>\cygwin\bin\bash.exe file. Overwrite the current bash.exe with the one restored from the backup.

Top

Contacting Axway Global Support

For further information or assistance with this Patch, contact Axway Global Support.

Online: Axway Sphere at support.axway.com
Email: support@axway.com
Phone: Go to Axway Sphere at support.axway.com. Click the Contact Axway Support link to display our list of regional support contact phone numbers, and then locate the phone number appropriate for your location.

Top