Sysadm:Vulnerability Patches
The purpose of this page is to record vulnerabilities that were patched in CHG systems, including when the vulnerability was found, the date it was patched, and what systems were patched. Please list the most recently patched vulnerabilities on top.
Contents
GHOST Vulnerability (01/2015)
The GHOST vulnerability was patched on all CHG servers and VMs that needed it by Aaron. chg-git was already up to date. .
Jenkins Default Tomcat Vulnerability (12/2014)
OIT brought to our attention that example Apache Tomcat JSPs and Servlets were installed on chg-ewx. These were subsequently removed.
ShellShock Bash Bug (09/2014)
To test for vulnerability:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you're vulnerable it'll print:
vulnerable this is a test
If you've updated Bash you'll only see:
this is a test
All Windows PCs using Cygwin were vulnerable. Updated individually by installing newest version of bash. The folks at ERI took care of updating our unix servers and Mac users received an update from OSX (Mavericks, Mountain Lion, Lion).
Heartbleed (04/2014)
The campus VPN server depends upon OpenSSL and was vulnerable to the Heartbleed bug. It was patched.
Windows Samba Security Policy on Swift (11/2013)
OIT sent us a notice that swift was vulnerable because of a security policy setting where "signing is disabled on the remote SMB server". This can allow man-in-the-middle attacks against the SMB server. Resolved issue by going into Security Policy interface on swift and setting "Microsoft network server: Digitally sign communications (always)".
Solution also applied to chg2.
See: http://technet.microsoft.com/en-us/library/cc731957.aspx
HP Printer Public String Vulnerability (09/2013)
OIT/NOC brought to our attention the fact that RSRU (the CHG Laserjet 4100dtn print) was using the manufacturer-default “public” community string, which is a potential DoS attack mechanism. Performed cold reset to resolve issue and reset admin password.