14 DAY TRIAL // Dubbed Shellshock, the GNU Bash bug currently affects a total of 35 products from Oracle, but only 3 of them have been provided with patches, leaving the rest of 32 vulnerable to attacks.
The severity of the security flaw, which has been present in the default command line shell available for Linux for more than 20 years, is very high. On top of this, there are reports that the glitch is actively exploited in the wild.
Shellshock can be exploited remotely by a malicious actor, as authentication is not required, to run arbitrary code on the affected system by adding malicious commands to variable functions passed by applications to Bash.
“Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability,” a security advisory from the company says.
No date is given for the release of patches for the affected products, and there is no word on sending notifications to users once a fix becomes available, which means that customers have to monitor the Patch Availability Table in order to learn about the update.
Among the products vulnerable to Shellshock are solutions with thousands of dollars on their price tags, such as SPARC Supercluster systems or Exalogic.
The products that benefit from a fix are Exadata, Oracle Linux (versions 4 through 7) and Oracle Solaris (versions 8 through 11).