If you're running a Linux based OTRS, especially one that's world/Internet facing, including the OTRS appliance, you are highly likely to be vulnerable to the ShellShock BASH vulnerability.
While this is beyond the usual scope of a forum like this, it is important and up to you that you apply security updates against your OTRS implementation, especially as it relates to the BASH vulnerability.
Some links that explains more about the vulnerability. I have no connection with these links.
http://www.troyhunt.com/2014/09/everyth ... about.html
http://apple.stackexchange.com/a/146851
Your package manager update process should seamlessly update against the vulnerabilities, which you should test yourself after updating. If your Linux distribution is not providing a new bash update, it's likely that your version is older than support exists for that version.
Please note that I cannot answer questions related to the vulnerability or how to address it on your particular system. I am merely reporting the issue.
Security ShellShock/BASH Vulnerability
Moderator: crythias
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Security ShellShock/BASH Vulnerability
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Security ShellShock/BASH Vulnerability
http://www.zdnet.com/shellshock-how-to- ... 000034072/
I want to clarify some things:
1) The OTRS implementation itself uses mod_perl by default. I haven't reviewed the code to see if bash is being used for other cgi-scripts.
2) The bash vulnerability has multiple vectors. Even if the OTRS and web implementation are *safe*, there are other ways the vulnerability can be exploited, most of which might be mitigated by not running services that could be affected.
3) This is a very old vulnerability, apparently affecting all versions of BASH prior to the current fix.
I want to clarify some things:
1) The OTRS implementation itself uses mod_perl by default. I haven't reviewed the code to see if bash is being used for other cgi-scripts.
2) The bash vulnerability has multiple vectors. Even if the OTRS and web implementation are *safe*, there are other ways the vulnerability can be exploited, most of which might be mitigated by not running services that could be affected.
3) This is a very old vulnerability, apparently affecting all versions of BASH prior to the current fix.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask