Oracle has confirmed that at least 32 of its products are affected by the vulnerability recently discovered in the Bash command-line interpreter – aka the "Shellshock" bug – including some of the company's pricey integrated hardware systems.
The database giant issued a security alert regarding the issue on Friday, warning that many Oracle customers will have to wait awhile longer to receive patches.
"Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability," the company said.
Among the products affected are Oracle Exalogic cluster appliances, which are priced starting at $250,000 each.
Also vulnerable are the Oracle Data Appliance, Big Data Appliance, SPARC Supercluster, Sun ZFS Storage Appliance Kit, and a variety of software packages including Oracle VM, Oracle Key Vault, and a whole range of Oracle Communications products.
Oracle offered no timeline for when patches will become available, and it isn't always known for prompt attention to security vulnerabilities. It was criticized for dragging its feet when a spate of critical exploits of the Java browser plug-in emerged in 2013, for example.
But Friday's alert wasn't all bad news. Oracle says Shellshock patches are already available for its Exadata engineered systems, in addition to Oracle Linux versions 4–7 and Solaris versions 8–11.
Oracle doesn't plan to send notices to individual customers when new fixes become available, so customers are advised to keep checking the relevant security alert page for updates.
They shouldn't have to wait long. After an incomplete attempt to fix the Shellshock vulnerability (CVE-2014-6271) on Wednesday, the GNU Project issued a new set of patches on Friday for Bash versions old and new that should properly squash a related bug (CVE-2014-7169) discovered by Tavis Ormandy.
In a statement on the subject, Free Software Foundation executive director John Sullivan attributed the speedy resolution of the Shellshock issue to the fact that Bash is free software, adding that proprietary software often ships with hidden bugs that customers cannot fix by themselves.
"We are reviewing Bash development, to see if increased funding can help prevent future problems," Sullivan said. "If you or your organization use Bash and are potentially interested in supporting its development, please contact us." ®