Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
The NetVault Bare Metal Restore (BMR) plugin for the 4.3 and 10.0.0 releases has a VaultOS component which is a Linux distribution that includes a version of bash that contains the above mentioned vulnerabilities. VaultOS is only used by BMR during an offline backup and the restore of a server without an OS. As such BMR has a very limited exposure to this vulnerability. But VaultOS has been updated to be distributed with a version of bash (bash-4.1.2-15.el6_5.2) that contains fixes to these vulnerabilities and recommends that anyone with an older version of VaultOS to upgrade to a fixed versions to reduce this risk.
10.0.0
The BMR 10.0.0 release has been re-posted on the support site and on the product download site. If you have BMR version 10.0.0.5 please download the latest plugin from https://support.quest.com/netvault-backup/download-new-releases and install it in place of your current plugin. The BMR plugin version will be 10.0.0.6. The
4.3
A VaultOS hotfix - vaultos_v5.8.2.1_linux_6.4_32bit.iso - has been created which contains the fix. This hotfix and its Readme can be downloaded from
https://support.quest.com/netvault-backup/10.0/download-new-releases
and should replace an existing VaultOS 5.8.2 plugin.
