Thursday, 25 September 2014

Bash vulnerability (aka Shellshock)

A new security vulnerability has been discovered in Bash. Known as the Bash Bug, or Shellshock bug, the flaw allows malicious network based attacks against *nix servers and potentially other Unix, Linux and Macintosh computers.


The scenarios in which this bug can be exploited are complex and not just limited to the use of bash from terminal. If you are responsible for any systems which may be affected by the bug, you must patch them as soon as the fix becomes available, if you’re not sure then please contact us.

This re-emphasises the need to ensure that all systems are patched promptly; you should have a process in place to make sure systems are kept up to date.  We will take care of the patching of server operating systems hosted on the CiCS VMWare estate, e.g. Ubuntu.


Vendors are now working to release patches that negate this vulnerability and they should be your first port of call if you require information about a particular OS. As yet Apple haven’t made a statement regarding OS X; we would expect any patch to be part of the normal automated updates.



Please feel free to contact us at helpdesk@sheffield.ac.uk if you’d like further information about this vulnerability, general good practice, hosting systems with CiCS or indeed any other security related matters.