Third Light patch issued for Shellshock

On 24 September, US-CERT announced a high-profile vulnerability in the common Unix tool, Bash. This vulnerability is fixed in an important update issued for Third Light IMS.

As explained in the Vulnerability Summary for CVE-2014-7169, there is an important vulnerability in the Bash shell, which is in widespread use on Unix and Linux systems globally.

Third Light IMS is based on Linux and a copy of Bash is installed on Third Light IMS servers. A full patch for this vulnerability is available.

  • All systems hosted by Third Light are already protected and patched.
  • We urge all customers running IMS on a server not hosted by Third Light to upgrade to 6.1.2-5 as soon as possible.

Can Shellshock be used to compromise Third Light IMS?

Not at present. Even unpatched systems are not vulnerable to any known exploit. This is because, to date, none of the methods of using the flaw in Bash as an exploit have been relevant to the way that Third Light IMS servers are configured. However, as awareness about this exploit increases, other vectors will emerge. We do therefore consider it essential to apply the latest Third Light IMS update and urge all of our clients to apply the 6.1.2-5 update immediately.

I've applied IMS v6.1.2-3 (Release Candidate). Is this sufficient?

On 25 September there was no complete patch for the Shellshock vulnerability available. Vendors, including Third Light, issued updates containing a partial fix to mitigate against the issues raised. v6.1.2-3 carries only the partial fixes. On 26 September we released IMS v6.1.2-5 which carries the full patch, and this is the update that all Third Light customers should apply.

I am using IMS v5 or a system with no support and maintenance. What should I do?

IMS v5 has been out of support since 2011 and will not be updated by Third Light, so you must arrange to upgrade to IMS v6. This update is free if you have support and maintenance in force. Please see our notes on V5 to V6 upgrades for more information.

If you do not have a support and maintenance contract in force, and your IMS server is built on Debian 6 (Squeeze) or Debian 7 (Wheezy), you can update your Third Light server manually by adding the Debian repositories for squeeze-lts or wheezy to your apt sources. Use the commands "apt-get update" followed by "apt-get install bash" to update your server.

If you do not have a support and maintenance contract in force and you are using Debian 5 (Lenny), you can compile an updated version of Bash, but it is recommended that you consider rebuilding your server to a later version of Debian.

To acquire a support contract, contact [email protected]