The “Shellshock Bug” has been widely reported in the news recently. There is a security hole in the “bash” command-line shell command, available in most UNIX and Linux-based operating systems. Any product which invokes shell commands via “bash” is potentially vulnerable to this issue. UNIX and Linux OS vendors have by now made available patches that close this security hole.
Affected Software & Suggested Actions
After the emergence of the Shellshock bug, Informatica investigated potential exposure to our products. Although no Informatica products require patching or updating at this time, most Informatica products can issue shell commands through standard documented usage of those products.
The Informatica products which can make command-line calls via bash are listed here https://mysupport.informatica.com/infakb/faq/7/Pages/14/301574.aspx .If you are running any of the products on this list, you should apply your OS vendors’ bash patch immediately in order to ensure your environment is secure. Even if you are not running any of the products on this list, Informatica encourages you to consult with your OS vendor.
Frequently Asked Questions (FAQs) related to this advisory:
1: What is the “Shellshock Bug?”
“Bash” is a command-line execution utility that appears on many flavors of UNIX and Linux operating systems. Security issue CVE-2014-6271 allows remote hackers to execute arbitrary code on the host machine, and is popularly known as the “Shellshock Bug”.
Please refer to https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 for further information.
2: What is the scope of this advisory?
This advisory is applicable to several Informatica products which invoke command line executables via bash. Please see the complete list at https://mysupport.informatica.com/infakb/faq/7/Pages/14/301574.aspx
3: Is there a workaround or patch available for this issue? How can I be notified of an available patch?
Patches for the bash utility are available from the respective operating system vendors and all customers are encouraged to contact those vendors directly.
4: Whom should I contact for additional questions?
For all questions related to this advisory, please contact your nearest
- Informatica Global Customer Support.