WebSphere Commerce alert regarding the now infamous Shellshock bug
Similar to the Heartbleed bug that was detected in April 2014, the Shellshock bug is creating headlines and headaches throughout the World Wide Web. In regard to this new cyber threat, it is important for IBM WebSphere Commerce users to understand that although the IBM WebSphere Commerce software itself is not directly susceptible to this bug, the bug can be present in the underlying operating system on which WebSphere software runs, possibly making those systems vulnerable to being manipulated by black-hat hackers.
It’s also important to understand that the bug affects many Linux, Unix, Apple OS X-based systems running the popular "bash" command-line interface software. Administrators are strongly recommended to test to see if their systems are vulnerable and apply patches to those systems, if necessary. To quickly test if a system is vulnerable, an administrator can follow the directions found on the ARS Technica website here.
Also notable: Windows and IBM i systems (OS/400) are not vulnerable to this bug. However, Linux-based operating systems running on the IBM i hardware may be. If a system is found to be vulnerable, site administrators are encouraged to contact their OS vendor for support in acquiring and installing the patch, if available.
One of the major ways the vulnerability is being exploited is through a carefully crafted HTTP request targeting systems utilizing the mod_cgi and mod_cgid modules in the popular Apache HTTP server upon which IBM's HTTP server is based. It's recommended that if a patch is not immediately available for a particular OS and if CGI support is not critical, then the mod_cgi and mod_cgid modules be immediately disabled on the Apache HTTP server(s) or IBM HTTP Server(s) handling traffic for any IBM WebSphere enabled site.
For more information, the U.S. National Cyber Security Division released a press release on its website, offering additional insight regarding the Shellshock bug. The press release can be found here.