Article ID: 123026, created on Sep 29, 2014, last review on Nov 13, 2014

  • Applies to:
  • Operations Automation
  • Business Automation
  • Odin Business Automation Standard
  • Plesk Automation

Information

The Redhat security group fixed shellshock vulnerability in several steps and each step have its own CVE assigned: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.

Security impact and attack vectors' investigation is published on Redhat Security Blog.

The fixed version of bash are released by the OS vendors:

Even though this vulnerability is not in a product of Parallels, it is highly recommended to install the update because it is possible to exploit the system over the network.

Symptoms

Please use the automated script to find out if installed version of Bash is vulnerable: BashCheck

NOTE: Recent versions of Bash 4.3 [Ubuntu 14.x, Debian Jessie] produce a false positive warning in the check for CVE-2014-7186 (redir_stack bug).

Examples:

Vulnerable machine:

$ sh bashcheck
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18:  6671 Segmentation fault: 11  bash -c "true $(printf '< /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

Updated machine:

$ sh bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

Resolution

  1. To fix a vulnerable version, follow the instructions for updates installation from OS vendors' announcements. For RHEL and CloudLinux systems please use 'yum update bash' to get the latest version.

  2. Affected system components and possible workarounds for the additional security issue CVE-2014-7169 are described in the Redhat article Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271). For more information and affected components, see https://access.redhat.com/articles/1200223

Search Words

Other

CVE-2014-6271 CVE-2014-7169 update for bash vulnerability Bash Code Injection Vulnerability CVE-2014-7186 CVE-2014-7187

e0aff7830fa22f92062ee4db78133079 caea8340e2d186a540518d08602aa065 198398b282069eaf2d94a6af87dcb3ff e12cea1d47a3125d335d68e6d4e15e07 400e18f6ede9f8be5575a475d2d6b0a6 5356b422f65bdad1c3e9edca5d74a1ae

Email subscription for changes to this article
Save as PDF