Exadata and Bash Shellshock

There has recently been a lot of news about the exploit revealed in the bash shell.  While the fix is very quick to implement, there are a couple of tricks that are required to install this update on an Exadata environment.  According to Oracle support note #1405320.1, Exadata storage server versions 11.2.3.x.x and 12.1.1.x.x are susceptible to the exploit.  On a typical Oracle Enterprise Linux, a simple "yum update bash" command would put the fix in place.  Because Exadata hosts shouldn't be connected to the ol5_latest yum channel, the process is a little less straightforward.

Whether a host is vulnerable is a very quick test - if the following command shows "vulnerable" in the output, then you're not looking so good:

[root@enkx3db01 ~]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

Thanks to Oracle's public-yum.oracle.com repository, the updated bash RPM is available from http://public-yum.oracle.com/repo/OracleLinux/OL5/latest/x86_64.  At the time of this writing, the most current version available is bash-3.2-33.el5_11.4.x86_64.rpm.  Unfortunately, an Exadata-specific RPM gets in the way of just upgrading bash:

[root@enkx3db01 ~]# rpm -Uvh bash-3.2-33.el5_11.4.x86_64.rpm
error: Failed dependencies:
config(bash) = 3.2-32.el5_9.1 is needed by (installed) exadata-sun-computenode-exact-11.2.3.3.0.131014.1-1.x86_64
bash = 3.2-32.el5_9.1 is needed by (installed) exadata-sun-computenode-exact-11.2.3.3.0.131014.1-1.x86_64

That's not what we wanted to see.  According to Oracle, it is safe to remove this exadata-sun-computenode-exact RPM to update the bash package.

[root@enkx3db01 ~]# rpm -e exadata-sun-computenode-exact
[root@enkx3db01 ~]# rpm -Uvh bash-3.2-33.el5_11.4.x86_64.rpm
Preparing... ########################################### [100%]
1:bash ########################################### [100%]

After removing the problematic package, bash updates as expected.  For the Exadata storage servers, simply install the RPM with --nodeps.  It is recommended to not remove the exadata-sun-cellnode-exact package (updated from original published post).  Note that this can be done with dcli:

[root@enkx3db01 ~]# dcli -l root -g cell_group -f bash-3.2-33.el5_11.4.x86_64.rpm -d /root/bash-3.2-33.el5_11.4.x86_64.rpm
[root@enkx3db01 ~]# dcli -l root -g cell_group rpm -Uvh --nodeps /root/bash-3.2-33.el5_11.4.x86_64.rpm
enkx3cel01: warning: /root/bash-3.2-33.el5_11.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
enkx3cel01: Preparing... ##################################################
enkx3cel01: bash ##################################################
enkx3cel02: warning: /root/bash-3.2-33.el5_11.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
enkx3cel02: Preparing... ##################################################
enkx3cel02: bash ##################################################
enkx3cel03: warning: /root/bash-3.2-33.el5_11.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
enkx3cel03: Preparing... ##################################################
enkx3cel03: bash ##################################################

After the update, the exploit is no longer open, which can be checked using the test from earlier:

[root@enkx3db01 ~]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

Hopefully this will help make the patch process more straightforward.