Friday, September 26, 2014

Critical bash security issue in all versions of Linux (CVE-2014-7169)

Two days ago we announced a critical vulnerability in the bash shell that is remotely exploitable (CVE-2014-6271) known as Shellshock.

The fix for CVE-2014-6271 was incomplete and command injection is possible even after the patch has been applied. The issue is being tracked as CVE-2014-7169 (Aftershock). Please log in to all of your Bitnami-based Linux VMs or cloud images and upgrade bash. If you are running an Ubuntu machine (and most likely you are) you can execute the following commands:

sudo apt-get update
sudo apt-get install bash

To test that you have successfully updated your installation, type:


env var='() {(a)=>\' bash -c "echo date"; cat echo; rm -f echo

If you get the following, you have successfully patched bash:

bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
date
cat: echo: No such file or directory

If you get the following (with the current date at the end), you are still vulnerable:

bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
Fri Sep 26 09:20:00 UTC 2014


If you have further questions, please refer to our community forums or contact the helpdesk if you are a commercial Bitnami customer.

More information and possible updates on our wiki.