Rapid7 Vulnerability & Exploit Database

RHSA-2014:1311: bash security update

Back to Search

RHSA-2014:1311: bash security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
09/24/2014
Created
07/25/2018
Added
09/29/2014
Modified
07/04/2017

Description

The GNU Bourne Again shell (Bash) is a shell and command languageinterpreter compatible with the Bourne shell (sh). Bash is the defaultshell for Red Hat Enterprise Linux.It was found that the fix for CVE-2014-6271 was incomplete, and Bash stillallowed certain characters to be injected into other environments viaspecially crafted environment variables. An attacker could potentially usethis flaw to override or bypass environment restrictions to execute shellcommands. Certain services and applications allow remote unauthenticatedattackers to provide environment variables, allowing them to exploit thisissue. (CVE-2014-7169)Applications which directly create bash functions as environment variablesneed to be made aware of changes to the way names are handled by thisupdate. Note that certain services, screen sessions, and tmux sessions mayneed to be restarted, and affected interactive users may need to re-login.Installing these updated packages without restarting services will addressthe vulnerability, but functionality may be impacted until affectedservices are restarted. For more information see the Knowledgebase articleat https://access.redhat.com/articles/1200223Note: Docker users are advised to use "yum update" within their containers,and to commit the resulting changes.For additional information on CVE-2014-6271 and CVE-2014-7169, refer to theaforementioned Knowledgebase article.All bash users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue.

Solution(s)

  • redhat-upgrade-bash
  • redhat-upgrade-bash-debuginfo
  • redhat-upgrade-bash-doc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;