On September 24, 2014, a vulnerability was discovered in the widely used Unix Bash shell which allows attackers to execute arbitrary commands passed through environment variables.
Are Uplogix products affected?
So far, both the Uplogix Local Manager and Control Center products have found to be vulnerable to this exploit in certain situations:
- When DHCP is used for either primary or secondary networking
Control Centers and Local Managers using static IP addressing are not affected by this exploit.
How will Uplogix address this?
On October 10, 2014, Uplogix released updated software to remove this vulnerability.
- Local Manager (all platforms): Upgrade to LMS version 4.7.3
- Control Center: Upgrade to new Bash RPM
Customers running LMS version 4.6 and prior are encouraged to upgrade to the latest release.
Customers running FIPS versions of LMS 4.6 can upgrade to 184.108.40.206.
Please contact Uplogix Support to schedule an update of the Bash RPM or to upgrade your deployment.
What if I don’t have an active maintenance contract?
If your deployment is not currently under maintenance, please contact your Account Executive for information about renewing your maintenance. Once an active maintenance contract is in place, your deployment can be upgraded to the latest version of code.
What can I do in the meantime?
Until your deployment is upgraded, you can minimize your exposure by switching from DHCP to static IP addressing.
What if I need more information?
Please contact Uplogix Support if you have any questions about this issue.