Still have questions?
- Contact our Support team.
- VersionOne Application Vulnerability Scan Repository
- Was VersionOne affected by Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability?
- Was VersionOne affected by the Adobe Flash Security Vulnerability?
- Was VersionOne affected by the FREAK SSL/TLS Vulnerability CVE-2015-0204
- Was VersionOne affected by the Heartbleed security vulnerability?
US-CERT/NIST released security vulnerability CVE-2014-7169 9/24/2014. A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous, as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.
The VersionOne application itself does not run on Unix or Linux based servers, therefore the application is not impacted. In our hosting environment, we utilize F5 load balancers. In response from our hosting provider, Rackspace, the F5s are only vulnerable to authenticated users and rogue DHCP servers. The Rackspace-managed F5s are only accessible by Rackspace personnel, therefore an attack vector does not currently exist for unauthenticated users. Additionally, DHCP is not configured on the load balancers, so there is no risk of a compromise regarding the CVE-2014-7169 security vulnerability.
Per our internal network, the only server affected was a monitoring server. It was vulnerable and immediately updated with the linux bash package, which has since remedied the vulnerability.