2014/09/25

Shellshock

I'm sure this is going down well across the globe right now...

Details over at NIST.

As I understand it, it allows env variables to be propagated to child processes and where they start with a particular string "() {" for this to enable execution of any commands beyond the function definition. Nice. Will affect mainly CGI based servers which are many though typically older websites these days... I suspect 500 million sites affected is overdoing it a little but it doesn't overplay the seriousness of this bug.

... off to find whatever servers I have vulnerable to this little bugger...

Update: This guy is scanning the net for the vulnerability...

http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html#.VCQSaC5dVnI

Update: And Redhat have a very good article on this one including a nice command to test your installation to see if you're affected on their security blog.
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Docs

There, I said it. A four letter swear word. Something worse than the F’ word if the horror on the boss’ face is anything to go by. We don’t ...

  • An Observation
    Much has changed in the past few years, hell, much has changed in the past few weeks, but that’s another story... and I’ve found a little ti...
  • SQL Server 2017 on Linux (mostly)...
    Nice piece of work. Begs the questions when we'll see Windows for Linux though ;)
  • Inter-microservice Integrity
    A central issue in a microservices environment is how to maintain transactional integrity between services. The scenario is fairly simple. S...