Gandi Kitchen

Home > Hosting > Shellshock: status

Shellshock: status

Regarding our platform:

Gandi's infrastructure has been updated, so we are not vulnerable to several CVEs[1] published recently (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) targeting the bash shell. We are not aware of any breach in our systems.

Regarding your virtual servers and instances:

If you're a IAAS customer, please be sure to update your bash version.

If you're using Gandi AI, we strongly recommend you migrate to our PaaS/Simple Hosting platform. If that's not possible, please at least contact our tech support in order to update your servers.

Regarding the Simple Hosting platform:

Our services have been patched using the issued security updates. You still need to restart your instances in order for the new version of bash to be taken into account.

How to test the vulnerability of your version of bash for each CVE:

CVE-2014-6271:

 env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

--> Output should not contain "vulnerable".

CVE-2014-7169:

cd /tmp; env x='() { (a)=>\' bash -c "echo date"; cat echo

--> Output should not be the output of the 'date' command (with the current date and time).

CVE-2014-7186:

bash -c 'true <<EOF <<EOF <<EOF  <<EOF <<EOF \
<<EOF <<EOF <<EOF <<EOF   <<EOF <<EOF <<EOF \
<<EOF <<EOF' || echo   "CVE-2014-7186 vulnerable, redir_stack"

--> Output should not be "CVE-2014-7186 vulnerable, redir_stack".

CVE-2014-7187:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; \
for x in {1..200} ; do echo done ; done) | \
bash || echo  "CVE-2014-7187  vulnerable, word_lineno"

--> Output should not be "CVE-2014-7187 vulnerable, word_lineno".

If you need to test your CGI scripts that are called with an HTTP request, there are various test programs available for the CLI or on the web. You can find them easily using your favorite search engine.

The nature of the issue found in bash means that a string of other security issues will be discovered and other security updates will certainly be available for installation on your server in the near future.

According to the security community for the open source project, the current set of patches applied on bash does not fully fix the main security issue in bash.

Please check back here in the following days to be informed of new CVE and updates for bash for Gandi's PaaS and other hosting products.

PaaS Gandi:

Available version: 4.2+dfsg-0.1+deb7u3

Status for:

[1]: http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures