TPS-2014-004 Bash Vulnerability CVE-2014-6271 & CVE-2014-7169 (Shellshock) - remote code execution through bash
This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock.
Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.)
AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud. Updates to pkgsrc bash are also now available in SmartOS pkgsrc repositories (please read details below under “Joyent Public Cloud”).
SmartDataCenter customers should have received a notification by ZenDesk ticket with further instructions.
The impact of these vulnerabilities is as follows:
Joyent Public Cloud
- Joyent has applied a patch to the underlying platform of all our servers to
address this bug. Users of many SmartOS VMs will NOT need to take any action.
If the command:
/usr/bin/bash, no action is required on your part.
- Joyent has updated bash in pkgsrc. Please note some older pkgrsc
repositories either do not contain bash or will not be patched due the their
age, see the table below for details. The package that includes the fix to
both CVE-2014-6271 & CVE-2014-7169 is called
bash-4.3.025nb2. If the command:
/opt/local/bin/bashyou will need to either update the pkgsrc provided bash by running
pkgin -f up && pkgin in bashor remove the pkgsrc version via “pkgin rm bash”. The latter command will remove the pkgsrc version and the machine will fall back to the patched platform provided version.
- Users of Linux VMs on Joyent’s Public Cloud will need to apply the necessary updates, based on the distribution they are using. Please follow the appropriate link below:
- Ubuntu: http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it
- Fedora: http://fedoramagazine.org/flaw-discovered-in-the-bash-shell-update-your-fedora-systems/
- Debian: https://www.debian.org/security/2014/dsa-3032
- CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
|Pkgsrc||Repo Status||User Action Required|
|2010Q4||Bash not in Repo||None|
|2011Q1||Wont be patched||Remove bash. See below|
|2011Q2||Wont be patched||Remove bash. See below|
|2011Q3||Wont be patched||Remove bash. See below|
|2011Q4||Wont be patched||Remove bash. See below|
|2012Q2||Wont be patched||Remove bash. See below|
|2012Q3||Wont be patched||Remove bash. See below|
|2012Q4 and later||Patch applied||Re-install Bash. See below|
Check if any users are set to use pkgsrc bash
getent passwd | grep /opt/local/bin/bash
If you have users with pkgsrc bash as their shell, change it to
usermod -s /usr/bin/bash <login>
Remove pkgsrc bash
pkgin rm bash
pkgin -f up && pkgin in bash
- Both a hot-fix service and new platform image (for SDC 7 only) are now available to enable customers to update their SDC installations. Action will be required by customers to apply these fixes. Instructions for applying the hot-fix (for both SDC 6 and SDC 7) as well as applying the latest platform image for SDC 7 have been sent by ZenDesk to SDC customers. If you have NOT received instructions, you can open a support ticket at https://help.joyent.com or by email to email@example.com to request the link and instructions.
- SmartDataCenter customers will need to advise their end users of this vulnerability, and advise them of any actions their end users will need to take. We will follow up with additional details as they are available.
At any time, please do not hesitate to contact our Support team by raising a ticket at https://help.joyent.com or by email to firstname.lastname@example.org if you have any questions or concerns.