Are HP Autonomy Products Affected by the Shellshock Vulnerability?
On September 25th, 2014, HP Software Global Business Security was notified of two vulnerabilities, known as Shellshock in the widely-used Bourne-again Shell (BASH).
The vulnerabilities allow unauthenticated access to a targeted system both locally and through certain remote services and applications. This defect has garnered substantial media attention due to the ease with which the defect can be exploited and the potential exposure of sensitive information.
The Bash shell is present on most versions of UNIX and is a component of the Cygwin distribution (which can be installed on Windows hosts). Certain environments within HP have Bash installed as part of the Operating System. HP takes vulnerabilities seriously and works collaboratively with government, partners, and customers to help protect our products, solutions, and customer’s data. The same day the defect was discovered, HP Software began a comprehensive review of all actively supported products.
HP Autonomy continues to monitor the security community for the latest information about the ShellShock vulnerability. We employ industry standard tools to detect this vulnerability and update our scanning tools with new detection signatures as they are released.
The following products are not affected by this issue. However, customers should follow vendor instructions to patch OS accordingly.
Application run on directly affected OS (i.e. Linux, Unix, OS X)
- HP Aurasma
- HP Broadcast Monitoring Software (License)
- HP Data Protector
- HP Healthcare Analytics
- HP IDOL Software (License)
- HP IDOL Speech Software (License)
- HP KeyView
- HP LiveSite Software (License)
- HP LiveVault Software (License)
- HP OpenDeploy Software (License)
- HP Process Automation Software (License)
- HP Scrittura Software (License)
- HP Structured Data Manager
- HP Surveillance Software (License)
- HP Teamsite
- HP TeamSite Software (License)
- Image Server (Rich Media)
- WorkSite MP
Application NOT run on directly affected OSs (eg run on Windows only)
- AED any Archive – SaaS
- HP Connected Backup Software (License)
- HP Connected Backup Software (SaaS)
- HP ControlPoint Software (License)
- HP Consolidated Archive Software (License)
- HP eDiscovery (License)
- HP eDiscovery Software (License)
- HP eDiscovery Software (SaaS)
- HP Explore Cloud SaaS
- HP IDOL Insight
- HP MediaBin Software (License)
- HP Qfiniti Software (License)
- HP Records Manager
- HP TeleForm Software (License)
- HP Universal Search Software (for Legal) (License)
- HP WorkSite Conflicts Manager (License)
- HP WorkSite Records Manager Software (License)
- HP WorkSite Software (License)
- MediaBin – SaaS (Virage)
- Participate Worksite – SaaS
Please continue to monitor this page for additional updates. This page will be updated as more information becomes available, including where to obtain information about affected and non-affected products, and where to obtain patches and software updates to address this vulnerability.