IBM IHS And IBM WAS: Bash Vulnerability Update

The recently-discovered Bash vulnerability (also known as Shellshock) affects Unix-based operating systems such as Linux and Mac OS X. In some non-default configurations, the vulnerability could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again SHell) command prompt.
IBM recently issued a bulletin to clarify that that its IBM HTTP Server (IHS) and WebSphere Application Server (WAS), as shipped out of the box, are not vulnerable to Bash. However, action is required to ensure that no vulnerable scripts have been added to the IHS.
According to IBM, any Bash fixes for its products will come via Unix distribution. IHS does not ship bash nor CGI scripts. IHS does not provide any vulnerable bash-based usage that could be tainted with user-supplied data, but several modules included with IHS could be vulnerable.
Any users with scripts that contain a direct or indirect  bash dependency may be vulnerable to a remote attack if the scripts are configured to be invoked by the following Apache modules: mod_cgi, mod_cgid, mod_fastcgi, mod_include or mod_ext_filter.

  • By default, mod_cgid/mod_cgi will execute any scripts added to $IHSROOT/cgi-bin/ (which is shipped empty) and can be configured to execute scripts from other directories via ScriptAlias or “Options” directives including ExecCGI (including “Options All”)
  • mod_include is loaded but not configured to process any includes (Options +Includes, XbitHack ON)
  • mod_ext_filter is not loaded or configured
  • mod_fastcgi is not loaded or configured

Use of these modules or directives may be via httpd.conf, an “Include”ed configuration file, or in an .htaccess file. You can confirm the list of loaded modules by running apachetcl -M (or httpd.exe -M) with any additional arguments (such as -f) that you normally use.
IBM highly recommends upgrading bash from your operating system vendor. If you cannot apply the fixes for bash, unload the following IBM HTTP Server modules: mod_cgid, mod_cgi, mod_fastcgi, mod_include and mod_ext_filter until you can apply the bash fix or determine that the scripts these modules have been configured to execute do not use bash directly or indirectly.
Not sure if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, [email protected].
(Photo by zodman under Creative Commons license.)