Ceridian UK 'Bash' (also known as 'Shellshock') Vulnerability Statement

30 September 2014

On Sept 24th, a major vulnerability in a standard installed component of Unix/Linux/and OS X - known as the Bourne Again Shell (BASH) – was announced. Under certain conditions this vulnerability could be exploited to permit remote access and control of vulnerable devices and systems.

As of 09:00 on Sept 30th Ceridian UK:

. Has been working as part of a Vulnerability Response Team across the global Ceridian enterprise
. Confirmed with our suppliers that Intrusion Detection System (IDS) and all applicable firewalls have been updated with the latest signatures/patches from vendors to protect these devices against this vulnerability
. Will continue to monitor the situation as more information emerges

This vulnerability has been discovered in devices and applications that use Linux/Unix "bash" shells. Ceridian UK application systems are primarily based on Windows technology. This means that our exposure to this vulnerability is very limited. Prime areas that Ceridian UK has addressed are on 3rd party devices that provide security features such as our IDS and firewalls. We have taken immediate action to determine whether the vulnerability exists within our enterprise and, where it has been found, we have ensured that all vendor patches have been applied.

At this point in time, we believe that Ceridian UK is protected against this vulnerability. Further, there is no evidence to suggest that any attempts have been made to exploit this vulnerability in our environment.

The vulnerability response team continues to meet regularly to address any identified vulnerabilities.

We will continue to make the protection of your data a top priority. If you have additional questions regarding our Ceridian Information Security Program, please contact your normal Ceridian contact.