ID CVE-2014-6277
Summary GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
References
Vulnerable Configurations
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.0
    cpe:2.3:a:gnu:bash:1.14.0
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.1
    cpe:2.3:a:gnu:bash:1.14.1
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.2
    cpe:2.3:a:gnu:bash:1.14.2
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.3
    cpe:2.3:a:gnu:bash:1.14.3
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.4
    cpe:2.3:a:gnu:bash:1.14.4
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.5
    cpe:2.3:a:gnu:bash:1.14.5
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.6
    cpe:2.3:a:gnu:bash:1.14.6
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.7
    cpe:2.3:a:gnu:bash:1.14.7
  • GNU Bourne-Again SHellbash (GNU Bash) 2.0
    cpe:2.3:a:gnu:bash:2.0
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01
    cpe:2.3:a:gnu:bash:2.01
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01.1
    cpe:2.3:a:gnu:bash:2.01.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02
    cpe:2.3:a:gnu:bash:2.02
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02.1
    cpe:2.3:a:gnu:bash:2.02.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.03
    cpe:2.3:a:gnu:bash:2.03
  • GNU Bourne-Again SHellbash (GNU Bash) 2.04
    cpe:2.3:a:gnu:bash:2.04
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05
    cpe:2.3:a:gnu:bash:2.05
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05a
    cpe:2.3:a:gnu:bash:2.05:a
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05b
    cpe:2.3:a:gnu:bash:2.05:b
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0
    cpe:2.3:a:gnu:bash:3.0
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0.16
    cpe:2.3:a:gnu:bash:3.0.16
  • GNU Bourne-Again SHellbash (GNU Bash) 3.1
    cpe:2.3:a:gnu:bash:3.1
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2
    cpe:2.3:a:gnu:bash:3.2
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2.48
    cpe:2.3:a:gnu:bash:3.2.48
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0
    cpe:2.3:a:gnu:bash:4.0
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0 release candidate 1
    cpe:2.3:a:gnu:bash:4.0:rc1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.1
    cpe:2.3:a:gnu:bash:4.1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.2
    cpe:2.3:a:gnu:bash:4.2
  • GNU Bourne-Again SHellbash (GNU Bash) 4.3
    cpe:2.3:a:gnu:bash:4.3
CVSS
Base: 10.0 (as of 28-06-2016 - 13:25)
Impact:
Exploitability:
CWE CWE-78
CAPEC
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description GNU bash 4.3.11 Environment Variable dhclient Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-6277,CVE-2014-62771,CVE-2014-6278,CVE-2014-7169,CVE...
id EDB-ID:34860
last seen 2016-02-04
modified 2014-10-02
published 2014-10-02
reporter @0x00string
source https://www.exploit-db.com/download/34860/
title GNU bash 4.3.11 Environment Variable dhclient Exploit
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201410-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201410-01 (Bash: Multiple vulnerabilities) Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further parsing flaws in Bash. The unaffected Gentoo packages listed in this GLSA contain the official patches to fix the issues tracked as CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the official patch known as “function prefix patch” is included which prevents the exploitation of CVE-2014-6278. Impact : A remote attacker could exploit these vulnerabilities to execute arbitrary commands or cause a Denial of Service condition via various vectors. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2016-05-13
    plugin id 78060
    published 2014-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78060
    title GLSA-201410-01 : Bash: Multiple vulnerabilities (Shellshock)
  • NASL family Gain a shell remotely
    NASL id BASH_REMOTE_CODE_EXECUTION2.NASL
    description The remote host is running a version of Bash that is vulnerable to command injection via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
    last seen 2017-10-29
    modified 2017-08-28
    plugin id 78067
    published 2014-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78067
    title Bash Remote Code Execution (CVE-2014-6277 / CVE-2014-6278) (Shellshock)
  • NASL family Misc.
    NASL id IBM_STORWIZE_1_5_0_4.NASL
    description The remote IBM Storwize V7000 Unified device is running version 1.3.x prior to 1.4.3.5 or 1.5.x prior to 1.5.0.4. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271) - An out-of-bounds memory access error exists in GNU Bash in file parse.y due to evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this, via a crafted 'here' document, to execute arbitrary code or cause a denial of service. (CVE-2014-7186) - An off-by-one error exists in GNU Bash in the read_token_word() function in file parse.y when handling deeply-nested flow control constructs. A remote attacker can exploit this, by using deeply nested loops, to execute arbitrary code or cause a denial of service. (CVE-2014-7187) - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6278) Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 85630
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85630
    title IBM Storwize V7000 Unified 1.3.x < 1.4.3.5 / 1.5.x < 1.5.0.4 Multiple Vulnerabilities (Shellshock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-3093.NASL
    description Description of changes: [4.1.2-29.0.1] - Fix segfaults from CVE-2014-6277 and CVE-2014-6278 completely. [orabug 19905294]
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 79375
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79375
    title Oracle Linux 6 : bash (ELSA-2014-3093) (Shellshock)
  • NASL family CISCO
    NASL id CISCO-SA-CSCUR01959-ASA-CX.NASL
    description The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78827
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78827
    title Cisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15629.NASL
    description GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
    last seen 2017-10-29
    modified 2016-11-01
    plugin id 78197
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78197
    title F5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL
    description The version of VMware vCenter Server Appliance installed on the remote host is 5.0 prior to Update 3b, 5.1 prior to Update 2b, or 5.5 prior to Update 2a. It therefore contains a version of bash that is affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78508
    published 2014-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78508
    title VMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock)
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA10648.NASL
    description According to its self-reported version number, the remote Junos Space version is prior to 14.1R2, and may be affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-05-16
    plugin id 80196
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80196
    title Juniper Junos Space GNU Bash Command Injection Vulnerability (JSA10648) (Shellshock)
  • NASL family Misc.
    NASL id MCAFEE_EMAIL_GATEWAY_SB10085.NASL
    description The remote host has a version of McAfee Email Gateway (MEG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79123
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79123
    title McAfee Email Gateway GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_512D130149B911E4AE2CC80AA9043978.NASL
    description Note that this is different than the public 'Shellshock' issue. Specially crafted environment variables could lead to remote arbitrary code execution. This was fixed in bash 4.3.27, however the port was patched with a mitigation in 4.3.25_2.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 78016
    published 2014-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78016
    title FreeBSD : bash -- remote code execution (512d1301-49b9-11e4-ae2c-c80aa9043978) (Shellshock)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_11.NASL
    description The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2017-10-29
    modified 2017-07-20
    plugin id 86270
    published 2015-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86270
    title Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL family CISCO
    NASL id CISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL
    description According to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Note that an attacker must be authenticated before the device is exposed to this exploit.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79584
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79584
    title Cisco TelePresence Conductor Bash Remote Code Execution (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_2014_10_07.NASL
    description The remote Solaris system is missing necessary patches to address critical security updates related to 'Shellshock' : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, also known as 'Shellshock.' Note that the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have other unknown impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via crafted use of 'here' documents, also known as the 'redir_stack' issue. (CVE-2014-7186) - An off-by-one error in the 'read_token_word' function in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via deeply nested for-loops, also known as the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2017-01-05
    plugin id 78395
    published 2014-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78395
    title Oracle third party patch update : bash_2014_10_07
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2380-1.NASL
    description Michal Zalewski discovered that Bash incorrectly handled parsing certain function definitions. If an attacker were able to create an environment variable containing a function definition with a very specific name, these issues could possibly be used to bypass certain environment restrictions and execute arbitrary code. (CVE-2014-6277, CVE-2014-6278) Please note that the previous Bash security update, USN-2364-1, includes a hardening measure that prevents these issues from being used in a Shellshock attack. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-08-16
    plugin id 78260
    published 2014-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78260
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : bash vulnerabilities (USN-2380-1) (Shellshock)
  • NASL family Misc.
    NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL
    description The version of VMware vCenter Operations Manager installed on the remote host is prior to 5.7.3 / 5.8.3. It is, therefore, affected by the environmental variable command injection vulnerability known as 'Shellshock'.
    last seen 2017-10-29
    modified 2016-11-29
    plugin id 78889
    published 2014-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78889
    title VMware vCenter Operations Management Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_NSX_VMSA_2014_0010.NASL
    description The version of VMware NSX installed on the remote host is 4.x prior to 4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78826
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78826
    title VMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL
    description The VMware vSphere Replication installed on the remote host is version 5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to 5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78771
    published 2014-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78771
    title VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL
    description The version of VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is missing package updates. It is, therefore, affected by the following vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. By sending a specially crafted request to a CGI script that passes environment variables, a remote, unauthenticated attacker can execute arbitrary code on the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) - An out-of-bounds memory access error exists due to improper redirection implementation in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7186) - An off-by-one error exists in the 'read_token_word' function in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2017-06-12
    plugin id 78857
    published 2014-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78857
    title VMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family CGI abuses
    NASL id CISCO-SA-CSCUR01959-PRSM.NASL
    description According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78828
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78828
    title Cisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family Misc.
    NASL id MCAFEE_NGFW_SB10085.NASL
    description The remote host has a version of McAfee Next Generation Firewall (NGFW) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79234
    published 2014-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79234
    title McAfee Next Generation Firewall GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2014-0010.NASL
    description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories : I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. For several products, both a patch and a product update are available. In general, if a patch is made available, the patch must be applied to the latest version of the appliance. Customers should refer to the specific product Knowledge Base articles listed in Section 4 to understand the type of remediation available and applicable appliance version numbers. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor =================================
    last seen 2017-10-29
    modified 2016-08-16
    plugin id 78025
    published 2014-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78025
    title VMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10_2.NASL
    description The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. This update contains several security-related fixes for the following components : - bash - Bluetooth - CFNetwork Cache - CommerceKit Framework - CoreGraphics - CoreSymbolication - CPU Software - FontParser - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - IOUSBFamily - Kernel - LaunchServices - libnetcore - LoginWindow - lukemftp - OpenSSL - Safari - SceneKit - Security - security_taskgate - Spotlight - SpotlightIndex - sysmond - UserAccountUpdater Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2017-11-02
    modified 2017-11-02
    plugin id 81087
    published 2015-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81087
    title Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)
  • NASL family CISCO
    NASL id CISCO_CUPS_CSCUR05454.NASL
    description According to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79124
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79124
    title CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-3092.NASL
    description Description of changes: [4.2.45-5.4.0.1] - Fix segfaults from CVE-2014-6277 and CVE-2014-6278 completely. [orabug 19905256]
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 79374
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79374
    title Oracle Linux 7 : bash (ELSA-2014-3092) (Shellshock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-3094.NASL
    description Description of changes: [3.2-33.4.0.1] - Fix segfaults from CVE-2014-6277 and CVE-2014-6278 completely. [orabug 19905421]
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 79376
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79376
    title Oracle Linux 5 : bash (ELSA-2014-3094) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-595.NASL
    description - Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053 - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051 - Add patches bash-4.2-heredoc-eof-delim.patch for bsc#898812, CVE-2014-6277: more troubles with functions bash-4.2-parse-exportfunc.patch for bsc#898884, CVE-2014-6278: code execution after original 6271 fix - Make bash-4.2-extra-import-func.patch an optional patch due instruction - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50 - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 78591
    published 2014-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78591
    title openSUSE Security Update : bash (openSUSE-SU-2014:1310-1) (Shellshock)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-164.NASL
    description Updated bash packages fix security vulnerability : A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271). This vulnerability can be exposed and exploited through several other pieces of software and should be considered highly critical. Please refer to the RedHat Knowledge Base article and blog post for more information. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169). Bash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered (CVE-2014-6277, CVE-2014-6278). See the RedHat article on the backward-incompatible changes introduced by the latest patch, caused by adding prefixes and suffixes to the variable names used for exporting functions. Note that the RedHat article mentions these variable names will have parentheses '()' at the end of their names, however, the latest upstream patch uses two percent signs '%%' at the end instead. Two other unrelated security issues in the parser have also been fixed in this update (CVE-2014-7186, CVE-2014-7187). All users and sysadmins are advised to update their bash package immediately.
    last seen 2017-10-29
    modified 2016-11-28
    plugin id 82417
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82417
    title Mandriva Linux Security Advisory : bash (MDVSA-2015:164)
  • NASL family CISCO
    NASL id CISCO-SA-20140926-BASH-NXOS.NASL
    description According to its self-reported version, the remote NX-OS device is affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78693
    published 2014-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78693
    title Cisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1374.NASL
    description This update for bash fixes the following issues : - CVE-2016-7543: Local attackers could have executed arbitrary commands via specially crafted SHELLOPTS+PS4 variables (bsc#1001299) - CVE-2016-0634: Malicious hostnames could have allowed arbitrary command execution when $HOSTNAME was expanded in the prompt (bsc#1000396) - CVE-2014-6277: More troubles with functions (bsc#898812, bsc#1001759) - CVE-2014-6278: Code execution after original 6271 fix (bsc#898884) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2017-10-29
    modified 2017-01-24
    plugin id 95529
    published 2016-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95529
    title openSUSE Security Update : bash (openSUSE-2016-1374) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_20141031_2.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.' NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue. (CVE-2014-7186) - Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2016-02-04
    plugin id 88514
    published 2016-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88514
    title Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash1) (Shellshock)
  • NASL family Misc.
    NASL id MCAFEE_WEB_GATEWAY_SB10085.NASL
    description The remote host has a version of McAfee Web Gateway (MWG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79215
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79215
    title McAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2872-1.NASL
    description This update for bash fixes the following issues : - CVE-2016-7543: Local attackers could have executed arbitrary commands via specially crafted SHELLOPTS+PS4 variables (bsc#1001299) - CVE-2016-0634: Malicious hostnames could have allowed arbitrary command execution when $HOSTNAME was expanded in the prompt (bsc#1000396) - CVE-2014-6277: More troubles with functions (bsc#898812, bsc#1001759) - CVE-2014-6278: Code execution after original 6271 fix (bsc#898884) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-01-24
    plugin id 95282
    published 2016-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95282
    title SUSE SLED12 / SLES12 Security Update : bash (SUSE-SU-2016:2872-1) (Shellshock)
  • NASL family CISCO
    NASL id CISCO_TELEPRESENCE_VCS_CSCUR01461.NASL
    description According to its self-reported version number, the version of Cisco TelePresence Video Communication Server is affected by a command injection vulnerability known as Shellshock in its included GNU Bash shell. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. The API over HTTP(S) and/or SSH can therefore be exploited. An attacker must be authenticated before the system is exposed to this exploit.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78596
    published 2014-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78596
    title Cisco TelePresence Video Communication Server Bash Remote Code Execution (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2014-0010_REMOTE.NASL
    description The remote VMware ESX host is affected by multiple vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278) - A out-of-bounds read error exists in the redirection implementation in file parse.y when evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2014-7186) - An off-by-one overflow condition exists in the read_token_word() function in file parse.y when handling deeply nested flow control structures. A remote attacker can exploit this, by using deeply nested for-loops, to cause a denial of service or possibly execute arbitrary code. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2016-08-16
    plugin id 87680
    published 2015-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87680
    title VMware ESX Multiple Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Windows
    NASL id VMWARE_VCENTER_CONVERTER_2014-0010.NASL
    description The version of VMware vCenter Converter installed on the remote Windows host is 5.1.x prior to 5.1.2 or 5.5.x prior to 5.5.3. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. While this host is not directly impacted by Shellshock, the standalone Converter application does deploy a Helper VM during Linux P2V conversions. This Helper VM contains a vulnerable version of Bash. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) - A memory double-free error exists in 'd1_both.c' related to handling DTLS packets that allows denial of service attacks. (CVE-2014-3505) - An unspecified error exists in 'd1_both.c' related to handling DTLS handshake messages that allows denial of service attacks due to large amounts of memory being consumed. (CVE-2014-3506) - A memory leak error exists in 'd1_both.c' related to handling specially crafted DTLS packets that allows denial of service attacks. (CVE-2014-3507) - A NULL pointer dereference error exists related to handling anonymous ECDH cipher suites and crafted handshake messages that allows denial of service attacks against clients. (CVE-2014-3510)
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79147
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79147
    title VMware vCenter Converter 5.1.x < 5.1.2 / 5.5.x < 5.5.3 Multiple Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family CISCO
    NASL id CISCO_UCS_DIRECTOR_CSCUR02877.NASL
    description According to its self-reported version, the remote host is running a version of Cisco UCS Director that could be affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Authentication on the system is required before this vulnerability can be exploited.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78770
    published 2014-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78770
    title Cisco UCS Director Code Injection (CSCur02877) (Shellshock)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL
    description Best Practical reports : RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as 'Shellshock.' This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve 'Shellshock,' you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 78039
    published 2014-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78039
    title FreeBSD : rt42 -- vulnerabilities related to shellshock (81e2b308-4a6c-11e4-b711-6805ca0b3d42)
packetstorm via4
refmap via4
apple
  • APPLE-SA-2015-01-27-4
  • APPLE-SA-2015-09-30-3
cisco 20140926 GNU Bash Environment Variable Command Injection Vulnerability
confirm
hp
  • HPSBGN03138
  • HPSBGN03141
  • HPSBGN03142
  • HPSBGN03233
  • HPSBHF03125
  • HPSBHF03145
  • HPSBHF03146
  • HPSBMU03143
  • HPSBMU03144
  • HPSBMU03165
  • HPSBMU03182
  • HPSBMU03217
  • HPSBMU03220
  • HPSBMU03236
  • HPSBMU03245
  • HPSBMU03246
  • HPSBST03129
  • HPSBST03154
  • HPSBST03155
  • HPSBST03157
  • HPSBST03181
  • SSRT101739
  • SSRT101742
  • SSRT101819
  • SSRT101827
  • SSRT101830
  • SSRT101868
jvn JVN#55667175
jvndb JVNDB-2014-000126
mandriva MDVSA-2015:164
misc
secunia
  • 58200
  • 59907
  • 59961
  • 60024
  • 60034
  • 60044
  • 60055
  • 60063
  • 60193
  • 60325
  • 60433
  • 61065
  • 61128
  • 61129
  • 61283
  • 61287
  • 61291
  • 61312
  • 61313
  • 61328
  • 61442
  • 61471
  • 61485
  • 61503
  • 61550
  • 61552
  • 61565
  • 61603
  • 61633
  • 61641
  • 61643
  • 61654
  • 61703
  • 61780
  • 61816
  • 61857
  • 62312
  • 62343
suse
  • SUSE-SU-2014:1287
  • openSUSE-SU-2014:1310
ubuntu USN-2380-1
vmware via4
description Bash libraries have been updated in multiple products to resolve multiple critical security issuesalso referred to as Shellshock.
id VMSA-2014-0010
last_updated 2014-10-17T00:00:00
published 2014-09-30T00:00:00
title Bash update for multiple products
workaround None
Last major update 02-01-2017 - 21:59
Published 27-09-2014 - 18:55
Back to Top