Affected Locations:
All Mainframe MVS and VM systems
Summary: Eliminate the use of unsupported versions of BASH shell in z/OS and z/VM.
Justification: Security alert
Benefits to Users: Minimize risk of vulnerability
Details:
z/OS and z/VM sites should review USS filesystems to determine if any unsupported versions of the BASH shell have been installed and delete or replace with a supported version of the BASH shell.
SPECIFIC INFORMATION:
A security alert was recently published regarding BASH / ShellShock Vulnerability.
While z/OS and z/VM do not include and ship the BASH shell, it has recently come to our attention that customers may have installed an unsupported version of the BASH shell in their z/OS and z/VM environments. Various organizations, such as NIST, US-CERT, etc., have identified and reported security vulnerabilities in the BASH shell for all platforms. Installing the BASH shell may put your z/OS or z/VM system at risk.
Any customer that has installed BASH on their z/OS or z/VM systems should determine the origin and version of BASH and take immediate steps to minimize or eliminate its use until they are able to obtain a version of BASH that is not vulnerable. Customer's can go to the GNU web site (http://www.gnu.org/software/bash/bash.html#downloading) for the latest source or they can contact Rocket Software (http://www.rocketsoftware.com/rocket-ported-tools-zos) for a supported version of the BASH shell for z/OS. You should work with the vendors of the products for specific information on their products and when updates with fixes will be made available.
IBM suggests customers refrain from using unsupported versions of Open Source products, such as BASH, on their production systems. If open source tools are necessary, vigilance in monitoring risks and updating to current versions is critical.
Primary Contact: MVSRepositoryTeam@hp.com
|
Usercomm - BASH / ShellShock Vulnerability