TPS-2014-004 Bash Vulnerability CVE-2014-6271 & CVE-2014-7169 (Shellshock) - remote code execution through bash

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock.

Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.)

AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud. Updates to pkgsrc bash are also now available in SmartOS pkgsrc repositories (please read details below under “Joyent Public Cloud”).

SmartDataCenter customers should have received a notification by ZenDesk ticket with further instructions.

The impact of these vulnerabilities is as follows:

Joyent Public Cloud

  1. Joyent has applied a patch to the underlying platform of all our servers to address this bug. Users of many SmartOS VMs will NOT need to take any action. If the command: which bash returns /usr/bin/bash, no action is required on your part.
  2. Joyent has updated bash in pkgsrc. Please note some older pkgrsc repositories either do not contain bash or will not be patched due the their age, see the table below for details. The package that includes the fix to both CVE-2014-6271 & CVE-2014-7169 is called bash-4.3.025nb2. If the command: which bash returns /opt/local/bin/bash you will need to either update the pkgsrc provided bash by running pkgin -f up && pkgin in bash or remove the pkgsrc version via “pkgin rm bash”. The latter command will remove the pkgsrc version and the machine will fall back to the patched platform provided version.
  3. Users of Linux VMs on Joyent’s Public Cloud will need to apply the necessary updates, based on the distribution they are using. Please follow the appropriate link below:
Pkgsrc Repo Status User Action Required
2010Q4 Bash not in Repo None
2011Q1 Wont be patched Remove bash. See below
2011Q2 Wont be patched Remove bash. See below
2011Q3 Wont be patched Remove bash. See below
2011Q4 Wont be patched Remove bash. See below
2012Q2 Wont be patched Remove bash. See below
2012Q3 Wont be patched Remove bash. See below
2012Q4 and later Patch applied Re-install Bash. See below

Removing bash

  1. Check if any users are set to use pkgsrc bash

    getent passwd | grep /opt/local/bin/bash
    
  2. If you have users with pkgsrc bash as their shell, change it to /usr/bin/bash

    usermod -s /usr/bin/bash <login>
    
  3. Remove pkgsrc bash

    pkgin rm bash
    

Re-installing pkgsrc

pkgin -f up && pkgin in bash

SmartDataCenter Customers

  • Both a hot-fix service and new platform image (for SDC 7 only) are now available to enable customers to update their SDC installations. Action will be required by customers to apply these fixes. Instructions for applying the hot-fix (for both SDC 6 and SDC 7) as well as applying the latest platform image for SDC 7 have been sent by ZenDesk to SDC customers. If you have NOT received instructions, you can open a support ticket at https://help.joyent.com or by email to support@joyent.com to request the link and instructions.
  • SmartDataCenter customers will need to advise their end users of this vulnerability, and advise them of any actions their end users will need to take. We will follow up with additional details as they are available.

At any time, please do not hesitate to contact our Support team by raising a ticket at https://help.joyent.com or by email to support@joyent.com if you have any questions or concerns.