cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: Shellshock
Date Fri, 26 Sep 2014 19:30:04 GMT
I am not sure that we are done with the vulnerabilities; and I think
the apt-get is a poor option to tell folks because they are vulnerable
again the next time a machine respawns.


On Fri, Sep 26, 2014 at 2:56 PM, John Kinsella <jlk@stratosec.co> wrote:
> I just tried some older virtual routers, and they are:
>
> root@r-163-VM:~# env x='() { :;}; echo OOPS' bash -c /usr/bin/true
> OOPS
> bash: /usr/bin/true: No such file or directory
>
> That said, you can only ssh to them from the local hypervisor. Not sure if there’s
any exposure on the http side.
>
> Running apt-get update && apt-get install bash patches the bash vuln.
>
> I’ll put together a formal statement.
>
> On Sep 26, 2014, at 6:55 AM, Ian Duffy <ian@ianduffy.ie<mailto:ian@ianduffy.ie>>
wrote:
>
> Tried this against the latest system vms built on Jenkins.
>
> Didn't get a successful exploited response. Tested against http://systemvm
> - public-ip/cgi-bin/ipcalc
> On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2001@gmail.com<mailto:agneya2001@gmail.com>>
wrote:
>
>
> After heart bleed we are Shell shocked
> http://www.bbc.com/news/technology-29361794 !
> It may not affect cloudstack directly as it is a vulnerability that
> affects bash, and allows the attacker to take control of the system running
> bash shell.
>
> -abhi
>
> Stratosec - Secure Finance and Heathcare Clouds
> http://stratosec.co
> o: 415.315.9385
> @johnlkinsella<http://twitter.com/johnlkinsella>
>

Mime
View raw message