Notices & Alerts - Bash Vulnerability (CVE-2014-6271)

Friday, September 26, 2014

Per our previous update, the Bash Vulnerability (CVE-2014-6271) was patched across our infrastructure shortly after the fix was released. Since the update, there have been reports from Debian that the original patch was not sufficient in securing the vulnerability so a second patch has been released. We can confirm that all Answers related systems have been patched with the latest release.

Wednesday, September 24, 2014

Today, a vulnerability CVE-2014-6271 was made public after its discovery last week. This vulnerability discovered in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.

This is not an Answers-specific issue; this impacts any system that uses a vulnerable bash.

There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services.

Customer Mitigations

Systems under our customers’ control which might be impacted include not only vulnerable web applications, but also servers which expose bash in various ways. System owners should apply an updated bash with a fix for this vulnerability as expeditiously as possible.

Answers Mitigations

Public-facing Answers systems and internal Answers control systems have been or are being urgently patched in prioritized order of criticality.

Updates to this page will be made as all Answers systems are patched and no longer vulnerable.

Other articles in this section:

  1. Bash Vulnerability (CVE-2014-6271) (current article)