ESA-24: Update on the Shellshock Bash Vulnerability
1 view
Skip to first unread message
Eucalyptus Security Team
Sep 30, 2014, 5:59:39 PM9/30/14
to security...@eucalyptus.com
ESA-24: Update on the Shellshock Bash Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-24
Issue Date: 2014-09-30
Last Updated: 2014-09-30
Severity Level: Informational
CVE Number: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
====================================================================
OVERVIEW
------------
The Shellshock vulnerability affects the Bash shell through 4.3 and can allow for arbitrary code execution. The Eucalyptus team assessed the situation and determined that this vulnerability does not directly affect Eucalyptus services, including the EMIs provided as a part of the Eucalyptus Imaging and Load Balancing services. Because Bash is installed on the Load Balancing and Imaging Service EMIs, as a safety measure, we are working on providing an updated set of images to include the latest fixes.
DESCRIPTION
-------------
The Shellshock vulnerability has been announced in the Bash shell:
https://access.redhat.com/articles/1200223
This vulnerability can allow for arbitrary code execution under certain conditions. The vulnerability affects all products that use Bash shell and parse values of environment variables. Eucalyptus services and pre-bundled service EMIs are not directly affected, but because previously released EMIs for Load Balancing and Imaging services contain a vulnerable version of the Bash shell, new EMIs will be made available shortly. We also recommend you ensure that all hosts running Eucalyptus services are up to date and contain the latest security fixes.
WORKAROUND
-------------
To update to the latest Bash shell packages, instances started from the Load Balancing and Imaging service EMIs can be updated at runtime:
# yum update bash
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-24
Issue Date: 2014-09-30
Last Updated: 2014-09-30
Severity Level: Informational
CVE Number: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
====================================================================
OVERVIEW
------------
The Shellshock vulnerability affects the Bash shell through 4.3 and can allow for arbitrary code execution. The Eucalyptus team assessed the situation and determined that this vulnerability does not directly affect Eucalyptus services, including the EMIs provided as a part of the Eucalyptus Imaging and Load Balancing services. Because Bash is installed on the Load Balancing and Imaging Service EMIs, as a safety measure, we are working on providing an updated set of images to include the latest fixes.
DESCRIPTION
-------------
The Shellshock vulnerability has been announced in the Bash shell:
https://access.redhat.com/articles/1200223
This vulnerability can allow for arbitrary code execution under certain conditions. The vulnerability affects all products that use Bash shell and parse values of environment variables. Eucalyptus services and pre-bundled service EMIs are not directly affected, but because previously released EMIs for Load Balancing and Imaging services contain a vulnerable version of the Bash shell, new EMIs will be made available shortly. We also recommend you ensure that all hosts running Eucalyptus services are up to date and contain the latest security fixes.
WORKAROUND
-------------
To update to the latest Bash shell packages, instances started from the Load Balancing and Imaging service EMIs can be updated at runtime:
# yum update bash
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Eucalyptus Security Team
Oct 5, 2014, 6:07:28 PM10/5/14
to security...@eucalyptus.com
ESA-24: The Shellshock Bash Vulnerability
DESCRIPTION
-------------
The Shellshock vulnerability has been announced in the Bash shell:
- Redhat: https://access.redhat.com/node/1200223
- Centos: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
This vulnerability can allow for arbitrary code execution. The vulnerability affects all products that use Bash shell and parse values of environment variables. Eucalyptus services and pre-bundled service EMIs are not directly affected, but because previously-released EMIs for Load Balancing and Imaging services contain a vulnerable version of the Bash shell, new EMIs are now available.
SOLUTION
-------------
We recommend you ensure that all hosts running Eucalyptus services and all EMIs installed in your cloud are up to date and contain the latest security fixes.
New Imaging Worker and Load Balancer EMIs are now available for 4.0 and contain the latest Bash shell packages:
- eucalyptus-imaging-worker-image-1.0.2-0.49.165.el6
- eucalyptus-load-balancer-image-1.1.2-0.89.28
The packages can be found at:
http://downloads.eucalyptus.com/software/eucalyptus/4.0/
Instructions for installing the Load Balancer EMI can be found at:
- https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#install-guide/configure_load_balancer.html
Instructions for installing the Imaging Worker EMI can be found at:
- https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#install-guide/configure_imaging_service.html
WORKAROUND
-------------
Instances running from EMIs not updated with the latest security fixes can be updated to the latest Bash shell packages at runtime by logging into the instance and issuing:
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-24
Issue Date: 2014-09-30
Last Updated: 2014-10-05
Eucalyptus Security Advisory
Advisory ID: ESA-24
Issue Date: 2014-09-30
Severity Level: Informational
CVE Number: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
====================================================================
OVERVIEW
------------
The Shellshock vulnerability affects the Bash shell through version 4.3 and can allows for arbitrary code execution. The Eucalyptus team assessed the situation and determined that this vulnerability does not directly affect Eucalyptus services, including the EMIs provided as a part of the Eucalyptus Imaging and Load Balancing services. Because Bash is installed on the Load Balancing and Imaging Service EMIs, as a safety measure, an updated set of images is now available for Eucalyptus 4.0. We recommend updating all affected EMIs and instances launched from them as soon as possible.
CVE Number: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
====================================================================
OVERVIEW
------------
DESCRIPTION
-------------
The Shellshock vulnerability has been announced in the Bash shell:
- Centos: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
This vulnerability can allow for arbitrary code execution. The vulnerability affects all products that use Bash shell and parse values of environment variables. Eucalyptus services and pre-bundled service EMIs are not directly affected, but because previously-released EMIs for Load Balancing and Imaging services contain a vulnerable version of the Bash shell, new EMIs are now available.
SOLUTION
-------------
We recommend you ensure that all hosts running Eucalyptus services and all EMIs installed in your cloud are up to date and contain the latest security fixes.
New Imaging Worker and Load Balancer EMIs are now available for 4.0 and contain the latest Bash shell packages:
- eucalyptus-imaging-worker-image-1.0.2-0.49.165.el6
- eucalyptus-load-balancer-image-1.1.2-0.89.28
The packages can be found at:
http://downloads.eucalyptus.com/software/eucalyptus/4.0/
Instructions for installing the Load Balancer EMI can be found at:
- https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#install-guide/configure_load_balancer.html
Instructions for installing the Imaging Worker EMI can be found at:
- https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#install-guide/configure_imaging_service.html
WORKAROUND
-------------
Instances running from EMIs not updated with the latest security fixes can be updated to the latest Bash shell packages at runtime by logging into the instance and issuing:
Reply all
Reply to author
Forward
0 new messages