Shellshock: Bash Code Injection Vulnerability (Original CVE-2014-6271)
Red Hat Product Security has been made aware of numerous vulnerabilities affecting all versions of the bash package shipped with Red Hat Enterprise Linux. Since many of Red Hat's products run on a base installation of Red Hat Enterprise Linux, there is a risk of other products being impacted by this vulnerability as well.
The initial Bash code injection vulnerability could allow for arbitrary code execution, allowing an attacker to bypass imposed environment restrictions. Certain services and applications allow remote unauthenticated attackers to exploit this vulnerability by providing environment variables. As the Bash shell is the most commonly used shell today, the risk of impact from this vulnerability if left unchecked could be severe.
Other flaws have been reported that also affect Bash. The following list is a quick overview of the reported flaws. For further details on each and to learn more about affected products, remediation steps, and testing your Bash version for vulnerabilities, see https://access.redhat.com/articles/1200223 in the Red Hat Customer Portal.
- CVE-2014-6271: errata are available
- CVE-2014-7169: errata are available
- CVE-2014-7186: errata are available
- CVE-2014-7187: this issue has no security impact, but has been fixed in the latest errata
- CVE-2014-6277: current errata mitigates this issue
- CVE-2014-6278: current errata mitigates this issue
For each of these flaws, the linked CVE pages contain official statements from Product Security and should be considered the most accurate and up-to-date information for each flaw. Red Hat Product Security is actively watching all new developments and will respond appropriately.
If you have questions or concerns, please contact Red Hat Technical Support.
