We would like to inform you about the impact of the current Shell Shock vulnerability on our products.
The vulnerability in GNU Bash can NOT be remotely exploited in our products.
The vulnerability in the widely used GNU Bash named Shell Shock and first described in CVE-2014-6271 can be used to execute arbitrary commands. It can be exploited by insufficiently configured and protected remote interfaces, which significantly increases the criticality.
We analyzed our products for this vulnerability. We came to the conclusion, the vulnerability can NOT be exploited by external or network access to our products. The remote interfaces and services provided by LinOTP and the LSE Smart Virtual Appliance can not be exploited. Our products do not allow to have external data directly executed in the GNU Bash shell.
GNU Bash is used in our LSE LinOTP Smart Virtual Appliance and LSE LinOTP Appliance A150. We already provide, of course, updated versions of GNU Bash, fixing the known vulnerabilities although they can not be exploited.
We recommend customers with native LinOTP installations to update the relevant packages, using the update mechanisms of their base distribution, as a precaution.
Updates to our products are distributed by the known mechanisms, the automatic update or the manual update functions.
You can update the LSE LinOTP Smart Virtual Appliance to the newest version of the appliance software and LinOTP using the instructions below, if you did not activate the automatic update.
(Please keep in mind, all packages installed are going to be updated to the newest version available. If you only want to update single packages, please contact our support.)
1. Use SSH to login on the LSE LinOTP Smart Virtual Appliance (user: root).
2. Execute the command appliance-update.sh.
If the automatic update was not activated before, you will also receive a kernel update. We therefor recommend to reboot the LSE Smart Virtual Appliance after the successful update.
Please contact our support hotline ( 06151 86086 – 115 or firstname.lastname@example.org), if you do not have activated the automatic update and are using an appliance version equal or smaller than 1.0. We are happy to help you with detailed update instructions in this case. The update is still easy to deploy, but needs a switch out of the context for self administration.
The LinOTP Team