Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) in Red Hat Enterprise Linux

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 4

Issue

Resolution

These issues affect all software that uses the Bash shell and parses values of environment variables. These issues are especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, these issues are quite serious and should be treated as such.

In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least the following versions of Bash:

RHSA-2014:1293

  • Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.2
  • Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1
  • Red Hat Enterprise Linux 5 - bash-3.2-33.el5.1

RHSA-2014:1294

  • Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
  • Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.1
  • Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.2
  • Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.1
  • Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.1

RHSA-2014:1295

  • SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.1
  • SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.1

In order to avoid exploitation from CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278, ensure that your system is updated to at least the following versions of Bash, which also includes the prior fixes:

RHSA-2014:1306

  • Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.4
  • Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.2
  • Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.4

RHSA-2014:1311

  • Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.4
  • Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.2
  • Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.3
  • Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.2
  • Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.2

RHSA-2014:1312

  • SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.2
  • SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.2

NOTE: Some additional information regarding customers who have RHEL 4 Standard or Premium Entitlements, but not ELS, is available at https://access.redhat.com/discussions/1211573

In order to update to the most recent version of the Bash package run the following command:

# yum update bash

Specify the package name in order to update to a particular version of Bash. For example, to update a Red Hat Enterprise Linux 6.5 system run:

# yum update bash-4.1.2-15.el6_5.2

Root Cause

  • A flaw was found in the bash functionality that evaluates specially formatted environment variables passed to it from another environment. This flaw is referred to as "Shellshock".
    An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

  • For more information about this vulnerability, refer to the following article:
    Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

Diagnostic Steps

  • To determine if a system is affected by this vulnerability, review the version of Bash:
# rpm -qa bash

This solution has been reviewed for technical accuracy, optimized for search, and integrated with Product Documentation and/or Red Hat Access Labs. Much like when a software package is accepted upstream, this content has moved from the general KCS editing workflow into the responsibility of Customer Content Services as maintainers.