ESA-24: The Shellshock Bash Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-24
Issue Date: 2014-09-30
Last Updated: 2014-10-05
Severity Level: Informational
CVE Number: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
====================================================================
OVERVIEW
------------
The Shellshock vulnerability affects the Bash shell through version 4.3 and can allows for arbitrary code execution. The Eucalyptus team assessed the situation and determined that this vulnerability does not directly affect Eucalyptus services, including the EMIs provided as a part of the Eucalyptus Imaging and Load Balancing services. Because Bash is installed on the Load Balancing and Imaging Service EMIs, as a safety measure, an updated set of images is now available for Eucalyptus 4.0. We recommend updating all affected EMIs and instances launched from them as soon as possible.
DESCRIPTION
-------------
The Shellshock vulnerability has been announced in the Bash shell:
- Redhat:
https://access.redhat.com/node/1200223
- Centos:
http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
This vulnerability can allow for arbitrary code execution. The vulnerability affects all products that use Bash shell and parse values of environment variables. Eucalyptus services and pre-bundled service EMIs are not directly affected, but because previously-released EMIs for Load Balancing and Imaging services contain a vulnerable version of the Bash shell, new EMIs are now available.
SOLUTION
-------------
We recommend you ensure that all hosts running Eucalyptus services and all EMIs installed in your cloud are up to date and contain the latest security fixes.
New Imaging Worker and Load Balancer EMIs are now available for 4.0 and contain the latest Bash shell packages:
- eucalyptus-imaging-worker-image-1.0.2-0.49.165.el6
- eucalyptus-load-balancer-image-1.1.2-0.89.28
The packages can be found at:
http://downloads.eucalyptus.com/software/eucalyptus/4.0/
Instructions for installing the Load Balancer EMI can be found at:
-
https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#install-guide/configure_load_balancer.html
Instructions for installing the Imaging Worker EMI can be found at:
-
https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#install-guide/configure_imaging_service.html
WORKAROUND
-------------
Instances running from EMIs not updated with the latest security fixes can be updated to the latest Bash shell packages at runtime by logging into the instance and issuing: