Informatica and the Shellshock Security Vulnerability
The security of information systems is a complex, shared responsibility between infrastructure, system and application providers. Informatica doesn’t take lightly the responsibility our customers have entrusted to us in this complex risk equation.
As Informatica’s Chief Information Security Officer, I’d like to share three important security updates with our customers:
- What you need to know about Informatica products and services relative to the latest industry-wide security concern,
- What you need to do to secure Informatica products against the ShellShock vulnerability, and
- How to contact Informatica if you have questions about Informatica product security.
1 – What you need to know
On September 24, 2014 a serious new cluster of vulnerabilities to Linux/Unix distributions was announced, classified as (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278) aka “Shellshock” or “Bashdoor”. What makes ShellShock so impactful is that it requires relatively low effort or expertise to exploit and gain privileged access to vulnerable systems.
Informatica’s cloud-hosted products, including Informatica Cloud Services (ICS) and our recently-launched Springbok beta, have already been patched to address this issue. We continue to monitor for relevant updates to both vulnerabilities and available patches.
Because this vulnerability is a function of the underlying Operating System, we encourage administrators of potentially vulnerable systems to assess their risk levels and apply patches and/or other appropriate countermeasures.
Informatica’s Information Security team coordinated an internal response with product developers to assess the vulnerability and make recommendations necessary for our on-premise products. Specific products and actions are listed below.
2 – What you need to do
Informatica products themselves require no patches to address the Shellshock vulnerability, they are not directly impacted. However, Informatica strongly recommends that you apply your OS vendors’ patches as they become available, since some applications allow customers to use shell scripts in their pre-and post-processing scripts. Specific Informatica products and remediations are listed below:
| Cloud Service | Version | Patch / Remediation |
| Springbok | Beta | No action necessary. The Springbok infrastructure has been patched by Informatica Cloud Operations. |
| ActiveVOS/Cloud | All | No action necessary. The ActiveVOS/Cloud infrastructure has been patched by Informatica Cloud Operations. |
| Cloud/ICS | All | Customers should apply OS patches to all of their machines running a Cloud agent. Relevant Cloud/ICS hosted infrastructure has already been patched by Informatica Cloud Operations. |
| Product | Version | Patch / Remediation |
| PowerCenter | All | No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability. |
| IDQ | All | No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability. |
| MM, BG, IDE | All | No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability. |
| PC Express | All | No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability. |
| Data Services / Mercury stack | All | No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability. |
| PWX mainframe & CDC | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| UM, VDS | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| IDR, IFC | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| B2B DT, UDT, hparser, Atlantic | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| Data Archive | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| Dynamic data masking | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| IDV | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| SAP Nearline | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.. | |
| TDM | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. | |
| MDM | All | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. |
| IR / name3 | No direct impact. Recommend customers apply OS patch to all machines with INFA product installed. | |
| B2B DX / DIH | All | DX & DIH on Red Hat Customers should apply OS patches. Other OS customers still recommended to apply OS patch. |
| PIM | All | PIM core and Procurement are not not directly impacted. Recommend Media Manager customers apply OS patch to all machines with INFA product installed. |
| ActiveVOS | All | No direct impact for on-premise ActiveVOS product. Cloud-realtime has already been patched. |
| Address Doctor | All | No direct impact for AD services run on Windows. Procurement service has already been patched by Informatica Cloud Operations. |
| StrikeIron | All | No direct impact. |
3 – How to contact Informatica about security
Informatica takes the security of our customers’ data very seriously. Please contact our Informatica’s Knowledge Base (article ID 301574), or our Global Customer Support team if you have any questions or concerns. The Informatica support portal is always available at http://mysupport.informatica.com.
If you are security researcher and have identified a potential vulnerability in an Informatica product or service, please follow our Responsible Disclosure Program.
Thank you,
Bill Burns, VP & Chief Information Security Officer
Comments