Vulnerability Note VU#252743
GNU Bash shell executes commands in exported functions in environment variables
GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.
CWE-78: OS Command Injection
A malicious attacker may be able to execute arbitrary code at the privilege level of the calling application.
Apply an Update
Vendor Information (Learn More)
Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be vulnerable. Contact your vendor for information about updates or patches. This Red Hat support article and blog post describe ways that Bash can be called from other programs, including network vectors such as CGI, SSH, and DHCP. Shell Shock Exploitation Vectors describes other ways this vulnerability could be exploited.
|Vendor||Status||Date Notified||Date Updated|
|Apple Inc.||Affected||25 Sep 2014||01 Oct 2014|
|Avaya, Inc.||Affected||25 Sep 2014||29 Sep 2014|
|Barracuda Networks||Affected||25 Sep 2014||27 Sep 2014|
|Blue Coat Systems||Affected||25 Sep 2014||27 Sep 2014|
|CentOS||Affected||-||27 Sep 2014|
|Check Point Software Technologies||Affected||25 Sep 2014||27 Sep 2014|
|Cisco Systems, Inc.||Affected||25 Sep 2014||26 Sep 2014|
|Cygwin||Affected||-||26 Sep 2014|
|D-Link Systems, Inc.||Affected||25 Sep 2014||07 Oct 2014|
|Debian GNU/Linux||Affected||25 Sep 2014||27 Sep 2014|
|Dell Computer Corporation, Inc.||Affected||-||27 Sep 2014|
|Extreme Networks||Affected||25 Sep 2014||01 Oct 2014|
|F5 Networks, Inc.||Affected||25 Sep 2014||26 Sep 2014|
|Fedora Project||Affected||25 Sep 2014||27 Sep 2014|
|FireEye||Affected||-||02 Oct 2014|
CVSS Metrics (Learn More)
This document was written by Chris King.
- CVE IDs: CVE-2014-6271 CVE-2014-7169 CVE-2014-6277 CVE-2014-7186 CVE-2014-7187
- Date Public: 24 Sep 2014
- Date First Published: 25 Sep 2014
- Date Last Updated: 14 Apr 2015
- Document Revision: 55
If you have feedback, comments, or additional information about this vulnerability, please send us email.