Security Bulletin: IBM Tivoli Workload Scheduler (CVE-2014-6271, CVE-2014-7169)

Summary

IBM Tivoli Workload Scheduler is not vulnerable to CVE-2014-6271 or CVE-2014-7169 Bash vulnerability as shipped out of the box, but action could be required because Tivoli Workload Scheduler installation on AIX through Launchpad requires bash.

Vulnerability Details

CVE-2014-6271 and CVE-2014-7169 vulnerabilities (also called Shellshock) affects Bash that is delivered in Unix platforms. Fixes for Bash will come from Unix distribution. IBM Tivoli Workload Scheduler does not ship bash.

Affected Products and Versions

Even if Tivoli Workload Scheduler doesn’t ship bash in some cases bash is required:
- Tivoli Workload Scheduler installation for all releases through Lauchpad requires bash on AIX and Firefox.
- Tivoli Workload Scheduler 9.1 GA level requires bash for the prerequisite check: TWS 9.1 FP01 removes thsi requirement.
- the “version” command for the following releases:
8.4 (all fixpacks), 8.5 (all fixpacks but FP05), 8.5.1 (all fixpacks but FP05), 8.6 (GA only). This command is manually issued to display the current version of the product.
- The Tivoli Dynamic Workload Console wastools commands backupConfig.sh and restoreConfig.sh commands require bash in the 9.1 FP01 and 9.2 GA level version. These commands are used to create backups of the current Tivoli Dynamic Workload Console configuration and/or clone it.

Remediation/Fixes

IBM highly recommends upgrading your bash from your operating system vendor. If you cannot apply the fixes for bash please consider the above limitations.

Workarounds and Mitigations

none