CVE-2014-6271 and CVE-2014-7169 - ShellShock


Severity

Important

Vendor

Canonical Ubuntu, CentOS

Versions Affected
  • Canonical Ubuntu 10.04 LTS that include bash
  • CentOS 6.5 that include bash
Description

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

The Cloud Foundry project is in the process of checking if Cloud Foundry are vulnerable to remote code execution or other exploits. No exploits have been identified or confirmed yet. The Cloud Foundry project is patching all components that have packaged the vulnerable version of bash.

Pivotal is in the process of checking if Pivotal CF is vulnerable to remote code execution or other exploits. No exploits have been confirmed yet. The Cloud Foundry project is patching all components that have packaged the vulnerable version of bash and will release Pivotal CF 1.3.1 as soon as the patched versions are available.

Affected Pivotal Products and Versions

Severity is important unless otherwise noted.

  • All versions of Cloud Foundry BOSH stemcells prior to 2719.1 have bash executables vulnerable to CVE-2014-6271
  • All versions of Cloud Foundry runtime prior to v186 have bash executables vulnerable to CVE-2014-6271
  • All versions of Cloud Foundry BOSH stemcells prior to 2719.2 have bash executables vulnerable to CVE-2014-7169
  • All versions of Cloud Foundry runtime v186 and prior have bash executables vulnerable to CVE-2014-7169
  • Pivotal CF and Pivotal Operations Manager 1.0.0.0 to 1.3.0.0
  • All Pivotal CF Services 1.3.0.0 and prior
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v183 or earlier upgrade to v186 or later and BOSH stemcells 2719.1 or later, which contains the patched version of bash that resolves CVE-2014-6271.
  • The Cloud Foundry Project recommends that BOSH deployments running BOSH stemcells 2719.1 and prior upgrade to BOSH stemcell 2719.2 and higher which contains the patched version of bash that resolves CVE-2014-6271 and CVE-2014-7169.
  • The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v186 and prior upgrade to Release v187 or later.
  • Pivotal recommends customers to use Pivotal CF 1.3.1 for Operations Manager and Elastic Runtime that resolve vulnerabilities for CVE-2014-6271 and CVE-2014-7169. Pivotal CF 1.3.1 or later is available on Pivotal Network.
Credit

Stephane Chazelas (CVE-2014-6271) and Huzaifa S. Sidhpurwala (CVE-2014-7169)

References
History

2014-Sep-25: Initial vulnerability report published.