Update (October 9th, 3:15pm PT)
The hotfix has been released and you can read the release notes here. The security patches are now available via the Upgrade button in your environment.
Update (October 7th, 3:15pm PT)
Our security patches have been updated to provide additional assurance that all six known vulnerabilities have been eliminated. We recommend applying these patches during a time convenient for you over the next 48 hours in order to minimize disruption to your operations. When you are ready to install these updates, SSH into your desired instance(s) and run:
‘sudo eix-sync && sudo emerge app-shells/bash’
These new changes will be available via the Upgrade button by 5pm PT on Thursday, October 9th.
Update (October 7th, 8:09am PT)
We have determined that CVE-2014-6277 is a vulnerability on systems that were previously patched for it. We are investigating the matter and will have an update on the situation shortly.
Update (October 1st, 5:00pm PT)
Customers can now patch for the following vulnerabilities:
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
If the Upgrade button is enabled just click Upgrade to apply patches for all six CVEs. No other action is needed on your part if your button was enabled and you successfully upgraded using that. You do not need to read the next section.
If the Upgrade button is not enabled, customers can manually SSH into the desired instance(s) and run:
‘sudo eix-sync && sudo emerge app-shells/bash’
or simply wait until tomorrow’s update. Tomorrow, once customers are upgraded to the new cookbooks version, the behavior of the Apply button will include checking for any new or missing Bash vulnerability patches. We will update this post once that functionality is ready.
Newly created instances now include all available patches for the above vulnerabilities. NOTE: Environments that have not been upgraded prior to September 25th are at risk of missing these patches from the aforementioned automations.
More information will follow as we continue to watch for new threats.
Update (September 30th, 9:20pm PT)
In addition to the aforementioned vulnerabilities, our tests confirm CVE-2014-7187 has been successfully patched.
Update (September 30th, 7:40pm PT)
Listed below, the following vulnerabilities can be addressed by clicking Upgrade on your respective environments via the Cloud dashboard. Managed customers will have patches automatically applied at 9am local server time via Puppet:
CVE-2014-6271 (initial vulnerability)
CVE-2014-7169
CVE-2014-7186
We are currently reviewing the latest patch for CVE-2014-7187 and will have additional information as soon as possible.
Additional updates shall follow as we continue to watch for additional developments.
Update (September 30th, 12:18pm PT)
An official (yet partial) update has been released for 2014-7186 & 2014-7187. Our engineers are reviewing the code in preparation for an update to Engine Yard customers. Once it is determined the update will safely resolve the cited vulnerabilities, we will update this post again with installation instructions.
Update (September 29th, 7:07pm PT)
We have no new information to present at this time. Updates to the situation will be posted as soon as new information is available.
Update (September 29th, 11:17am PT)
We are currently reviewing the following newly disclosed vulnerabilities related to Shellshock:
2014-6277 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277
2014-6278 - No public details yet
2014-7186 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
2014-7187 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
In addition to assessing these concerns, we will continue to watch for new threats as they emerge and apply our findings to this post.
Update (September 26th, 1:30pm PT)
The second revision of the bash security update is now available which addresses both CVE-2014-6271 and CVE-2014-7169. Performing the following steps will update your instance even if you have not updated to the previous revision:
-
SSH into your instance via your preferred method.
-
Run the command: sudo eix-sync && sudo emerge app-shells/bash
We will update this post as any new information becomes available. To review details on both vulnerabilities, see the National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Update (September 26th, 10:45am PT)
Our developers are reviewing the latest available patch for the related vulnerability, CVE-2014-7169. Once the review and testing process is complete, we will update this post again with the accompanying update instructions. Our goal is to have this completed as quickly as possible with an update for you later today.
Update (September 25th, 2:50pm PT)
Completely patching the vulnerability will require multiple iterations as the situation continues to develop. However, the first stage of this patch is now available for Engine Yard customers. You may apply the patch dubbed ‘R1’ by following these steps:
-
SSH into your instance via your preferred method.
-
Run the command: sudo eix-sync && sudo emerge app-shells/bash
If you have any questions, concerns, or issues applying this patch then please contact our Application Support team by submitting a support ticket.
This post will be updated again once we have additional information.
Issue
A vulnerability with Bash has been discovered--affecting Debian, Ubuntu, Gentoo, and other Linux distributions--which allows arbitrary code to be executed by a remote attacker on the applicable host.
Any hosted applications which pass unsanitized variables to a shell command are potentially included in this vulnerability. Therefore, these applications are at risk of further exploit if an attack proves successful.
Solution
Engine Yard engineers are actively working through the official patches to have them available as soon as possible for our customers. The projected completion time is early business hours tomorrow, September 25th. Patch instructions will follow.
Further updates will be posted as available. Be sure to subscribe to this Known Issue to receive prompt email notifications.
Affected Gentoo Bash versions
bash-3.1_p18
bash-3.2_p52
bash-4.0_p39
bash-4.1_p12
bash-4.2_p48
More Information
-
Gentoo bug tracker - https://bugs.gentoo.org/show_bug.cgi?id=523592
-
OSS-Security discussion - http://seclists.org/oss-sec/2014/q3/649
-
Redhat bug tracker - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271
-
Redhat security blog - https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
-
Ubuntu advisory - http://www.ubuntu.com/usn/usn-2362-1/
We are here to support you! If you have any questions or concerns, please open a ticket with our Support Team here: https://support.cloud.engineyard.com/tickets/new
to validate the vulnerability you can do:
@@@
tm50-s00411 bash-3.2.48 # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
tm50-s00411 bash-3.2.48 #
@@@
Will our instances be updated by EY, or will we need to do that ourselves?
Any ETA on the patch?
You can do this manually on each instance:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
$ sudo emerge --sync
$ sudo emerge --update bash
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Not optimal, but better than waiting.
OK- good to know. I had assumed the fix wasn't available in the package manager yet.
Thanks for the update - would be great if this could be added to the base chef scripts, perhaps when CVE-2014-7169 is fixed?
Would it be possible to use "ey ssh" to update all the instances of an environment with a single command?
you can check it here
$ey ssh "$env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"" --alland update here
$ey ssh "sudo eix-sync && sudo emerge app-shells/bash" --allThank you Kitazume-san, that worked like a charm!
Is CVE-2014-7169 (and not only the original CVE-2014-6271) already covered by the current version available via emerge?
(see https://www.debian.org/security/2014/dsa-3035)
If not, can EY update here when a new package will be available?
Thanks for your support!
It doesnt look like the patch for CVE-2014-7169 is available yet. Refer to this advisory from Red Hat on how to test for it. https://access.redhat.com/articles/1200223
Updating bash via emerge and then testing using this command
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
It looks like it hasnt been fixed yet.
@BLINKQ Admin what Engine Yard stack are you running? We're running the v4 stack, and after patching, we see this:
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for
x'BASH_FUNC_x()'bash: error importing function definition for
test
According to the RedHat url you referenced, this is not vulnerable.
Daniel, in the RedHat url - refer to this section:
The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:
$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token
='' bash: error importing function definition for `x'bash: x: line 1:
Fri Sep 26 11:49:58 GMT 2014
If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created.
If your system is not vulnerable, you will see output similar to:
$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
Thanks @BliNQ Admin. Too hasty on my part. Didn't notice that even though the page was CVE-2014-7169, that step was for CVE-2014-6271. Thanks again!
The EY suggested commands did not work for me, but Daniel Nelsons suggestions did. Thanks Daniel!
Fwiw, I think an second updated version of bash seems to be available via emerge.
I initially patched for exploit 1 as seen on https://shellshocker.net/ (the original exploit).
Then later I tried the second command listed at https://shellshocker.net/ (which is for exploit 2 CVE-2014-7169), and my host was marked vulnerable.
Then I ran emerge again, and exploit 2 wasn't passing anymore.
Exploit 3 still hasn't got a CVE at time of writing, and the latest emerge bash seems to output the date.
Just noticed the updated post which mentions that the second patch is indeed available.
See Hotfix: Engine Yard Gentoo 2009 stack upgrade and Hotfix: Engine Yard Gentoo 12.11 stack upgrade for more info.
Looks like another CVE (CVE-2014-6277) is on the way. The author of this blog post has apparently doing some fuzzy testing and strongly recommend applying Florian's patch (see the last paragraph of http://lcamtuf.blogspot.fr/2014/09/bash-bug-apply-unofficial-patch-now.html).
Is this patch already bundled in the latest bash available version via emerge?
Looks like indeed Florian's patch has been included in RHEL, If I believe https://news.ycombinator.com/item?id=8378203.
CVE-2014-6278 is now covered here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278
On my machine though, after applying the 3rd revision of bash, the bash script at https://shellshocker.net/ reports as not vulnerable (and at time of writing, the script report no vulnerability).
The hotfix has been released and you can read the release notes here. The security patches are now available via the Upgrade button in your environment.