Canonical Ubuntu, CentOS
- Canonical Ubuntu 10.04 LTS that include bash
- CentOS 6.5 that include bash
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
The Cloud Foundry project is in the process of checking if Cloud Foundry are vulnerable to remote code execution or other exploits. No exploits have been identified or confirmed yet. The Cloud Foundry project is patching all components that have packaged the vulnerable version of bash.
Affected Products and Versions
Severity is important unless otherwise noted.
- All versions of Cloud Foundry BOSH stemcells prior to 2719.1 have bash executables vulnerable to CVE-2014-6271
- All versions of Cloud Foundry runtime prior to v186 have bash executables vulnerable to CVE-2014-6271
- All versions of Cloud Foundry BOSH stemcells prior to 2719.2 have bash executables vulnerable to CVE-2014-7169
- All versions of Cloud Foundry runtime v186 and prior have bash executables vulnerable to CVE-2014-7169
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v183 or earlier upgrade to v186 or later and BOSH stemcells 2719.1 or later, which contains the patched version of bash that resolves CVE-2014-6271.
- The Cloud Foundry Project recommends that BOSH deployments running BOSH stemcells 2719.1 and prior upgrade to BOSH stemcell 2719.2 and higher which contains the patched version of bash that resolves CVE-2014-6271 and CVE-2014-7169.
- The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v186 and prior upgrade to Release v187 or later.
Stephane Chazelas (CVE-2014-6271) and Huzaifa S. Sidhpurwala (CVE-2014-7169)
2014-Sep-25: Initial vulnerability report published.