cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <>
Subject Re: Shellshock
Date Fri, 26 Sep 2014 18:56:18 GMT
I just tried some older virtual routers, and they are:

root@r-163-VM:~# env x='() { :;}; echo OOPS' bash -c /usr/bin/true
bash: /usr/bin/true: No such file or directory

That said, you can only ssh to them from the local hypervisor. Not sure if there’s any exposure
on the http side.

Running apt-get update && apt-get install bash patches the bash vuln.

I’ll put together a formal statement.

On Sep 26, 2014, at 6:55 AM, Ian Duffy <<>>

Tried this against the latest system vms built on Jenkins.

Didn't get a successful exploited response. Tested against http://systemvm
- public-ip/cgi-bin/ipcalc
On 25 Sep 2014 16:56, "Abhinandan Prateek" <<>>

After heart bleed we are Shell shocked !
It may not affect cloudstack directly as it is a vulnerability that
affects bash, and allows the attacker to take control of the system running
bash shell.


Stratosec - Secure Finance and Heathcare Clouds
o: 415.315.9385

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message