At Genesys, the security of our software – both in the cloud and on-premises – is extremely important to us. Over the past few days, Genesys has received several inquiries from our customers regarding the Shellshock bug, and I wanted to share what we know, as well as some guidance to ensure your contact center systems are not affected.
As soon as the news broke on Shellshock, the System Security Response Team (SSRT) within Genesys immediately started work on a comprehensive survey of our products and solutions to identify any potential exposures. Our internal IT reviews indicate that Genesys systems are safe. With that said, below are additional updates and information for our customers of both on-premises and cloud solutions:
For Genesys On-Premises Customers
After performing application behavior analysis, we do not believe the operation of Genesys software increases your risk of Shellshock vulnerability. In fact, across the entire Genesys suite of products and solutions, we are not aware of any software process that interacts with the Bash shell in a manner that could cause privilege escalation, buffer over-run, or malicious command execution. With that said, we are continuously investigating and analyzing our application performance. It’s important to note that Genesys software does not rely on “mod_cgi” or similar components where the vulnerability in the Bash shell can be exploited.
In addition to communications that we have sent to our customers, I am urging users of on-premises solutions to install the recommended patches for the affected systems as soon as possible. Due to CVE-2014-7169, not all vendors have sufficient patches available yet, but as soon as they do Genesys software should be compatible.
For Genesys Cloud Customers
For Genesys Cloud users, we are actively investigating this issue and currently undertaking an evaluation of all Genesys Cloud services for potential exposure to the Shellshock vulnerability. We will provide an update to our customers and partners with our level of exposure and remediation time frames by Thursday of this week (October 2nd). The Genesys Cloud Information Security team is addressing this as a top priority and will be aggressively taking any corrective action, as needed.
As part of our ongoing internal IT security processes, Genesys maintains an aggressive and continuous security compliance process. If your systems are affected, our own internal experience has shown that the actual patching process takes less than 5 minutes for most systems.
I’d also like to remind all Genesys customers that our solutions have the highest level of compliance in the business. Genesys cloud-based contact center solutions have achieved Payment Card Industry Data Security Standard (PCI-DSS) Level 1 certification, Service Organization Control (SOC) 2 certification and Health Insurance Portability and Accountability (HIPAA) compliance.
If you have additional questions about Shellshock, please contact your operating system supplier. For Genesys customers who have security questions about our software, you can contact Genesys Care.