CVE-2014-6271 Scope, impact, and resolution

Update (October 9th, 3:15pm PT)

The hotfix has been released and you can read the release notes here. The security patches are now available via the Upgrade button in your environment.

 

Update (October 7th, 3:15pm PT)

Our security patches have been updated to provide additional assurance that all six known vulnerabilities have been eliminated.  We recommend applying these patches during a time convenient for you over the next 48 hours in order to minimize disruption to your operations.  When you are ready to install these updates, SSH into your desired instance(s) and run:

 

    ‘sudo eix-sync && sudo emerge app-shells/bash’


These new changes will be available via the Upgrade button by 5pm PT on Thursday, October 9th.

 

Update (October 7th, 8:09am PT)

We have determined that CVE-2014-6277 is a vulnerability on systems that were previously patched for it.  We are investigating the matter and will have an update on the situation shortly.

 

Update (October 1st, 5:00pm PT)

Customers can now patch for the following vulnerabilities:

       CVE-2014-6271 

       CVE-2014-6277

       CVE-2014-6278

       CVE-2014-7169 

       CVE-2014-7186

       CVE-2014-7187

 

If the Upgrade button is enabled just click Upgrade to apply patches for all six CVEs. No other action is needed on your part if your button was enabled and you successfully upgraded using that. You do not need to read the next section.

 

If the Upgrade button is not enabled, customers can manually SSH into the desired instance(s) and run:

 

       ‘sudo eix-sync && sudo emerge app-shells/bash’

 

or simply wait until tomorrow’s update.  Tomorrow, once customers are upgraded to the new cookbooks version, the behavior of the Apply button will include checking for any new or missing Bash vulnerability patches.  We will update this post once that functionality is ready.  

 

Newly created instances now include all available patches for the above vulnerabilities.  NOTE: Environments that have not been upgraded prior to September 25th are at risk of missing these patches from the aforementioned automations.

 

More information will follow as we continue to watch for new threats.

Update (September 30th, 9:20pm PT)

In addition to the aforementioned vulnerabilities, our tests confirm CVE-2014-7187 has been successfully patched. 

 

Update (September 30th, 7:40pm PT)

Listed below, the following vulnerabilities can be addressed by clicking Upgrade on your respective environments via the Cloud dashboard.  Managed customers will have patches automatically applied at 9am local server time via Puppet:

 

CVE-2014-6271 (initial vulnerability)

CVE-2014-7169

CVE-2014-7186

 

We are currently reviewing the latest patch for CVE-2014-7187 and will have additional information as soon as possible.  


Additional updates shall follow as we continue to watch for additional developments.

 

Update (September 30th, 12:18pm PT)

An official (yet partial) update has been released for 2014-7186 & 2014-7187.  Our engineers are reviewing the code in preparation for an update to Engine Yard customers.  Once it is determined the update will safely resolve the cited vulnerabilities, we will update this post again with installation instructions.

 

Update (September 29th, 7:07pm PT)

We have no new information to present at this time.  Updates to the situation will be posted as soon as new information is available.

 

Update (September 29th, 11:17am PT)

We are currently reviewing the following newly disclosed vulnerabilities related to Shellshock:

 

2014-6277 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277

2014-6278 - No public details yet

2014-7186 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186

2014-7187 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187

 

In addition to assessing these concerns, we will continue to watch for new threats as they emerge and apply our findings to this post.

 

Update (September 26th, 1:30pm PT)

The second revision of the bash security update is now available which addresses both CVE-2014-6271 and CVE-2014-7169. Performing the following steps will update your instance even if you have not updated to the previous revision:

  1. SSH into your instance via your preferred method.
  2. Run the command: sudo eix-sync && sudo emerge app-shells/bash

We will update this post as any new information becomes available.  To review details on both vulnerabilities, see the National Vulnerability Database:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

 

Update (September 26th, 10:45am PT)

Our developers are reviewing the latest available patch for the related vulnerability, CVE-2014-7169.  Once the review and testing process is complete, we will update this post again with the accompanying update instructions.  Our goal is to have this completed as quickly as possible with an update for you later today.

 

Update (September 25th, 2:50pm PT)

Completely patching the vulnerability will require multiple iterations as the situation continues to develop.  However, the first stage of this patch is now available for Engine Yard customers.  You may apply the patch dubbed ‘R1’ by following these steps:

  1. SSH into your instance via your preferred method.
  2. Run the command: sudo eix-sync && sudo emerge app-shells/bash

If you have any questions, concerns, or issues applying this patch then please contact our Application Support team by submitting a support ticket.

 

This post will be updated again once we have additional information.

 

Issue

A vulnerability with Bash has been discovered--affecting Debian, Ubuntu, Gentoo, and other Linux distributions--which allows arbitrary code to be executed by a remote attacker on the applicable host.  

Any hosted applications which pass unsanitized variables to a shell command are potentially included in this vulnerability. Therefore, these applications are at risk of further exploit if an attack proves successful.

Solution

Engine Yard engineers are actively working through the official patches to have them available as soon as possible for our customers.  The projected completion time is early business hours tomorrow, September 25th.  Patch instructions will follow.

Further updates will be posted as available.  Be sure to subscribe to this Known Issue to receive prompt email notifications.  

Affected Gentoo Bash versions

bash-3.1_p18

bash-3.2_p52

bash-4.0_p39

bash-4.1_p12

bash-4.2_p48

More Information

Comments

0 comments

Article is closed for comments.