- Catalyze was made aware of a code execution exploit that affects bash.
- No catalyze systems have been compromised.
- A patch was released, but was found incomplete. A new revised issue was created.
- Catalyze is deploying the revised patch to all containers and systems.
Catalyze was made aware of the critical code execution exploit “Shellshock” CVE-2014-6271 and CVE-2014-7169. In accordance with our policies, we are notifying you of the situation and this correspondence details the steps that Catalyze will be taking. At this time, no systems have been compromised, but we feel that its important to detail the situation.
What is CVE-2014-6271 “ShellShock”:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
What is Bash?
Bash is a Unix shell written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell (sh). Released in 1989, it has been distributed widely as the shell for the GNU operating system and as a default shell on Linux and Mac OS X.
How does this affect you?
Customer containers that do not run customer application code are not impacted by this exploit. By design, the Catalyze Platform does not expose direct access to containers, including ssh or bash. CGI execution is not allowed.
If application code deployed on the platform relies on invoking shell commands or bash scripts please contact us immediately at email@example.com so we can investigate if this further.
How is Catalyze addressing this exploit?
Canonical has released updates usn-2363 and usn-2363-2 for Ubuntu 14.04, 12.04 and 10.04. These patches upgrade bash to version 4.3-7ubuntu1.3 which includes fixes for both CVE-2014-6271 and CVE-2014-7169.
Catalyze engineers are in the process of testing the patch and will deploy the fix to all platform containers and platform hosts.
Further reading on CVE-2014-6271 “Shellshock”