[UPDATE 9/26: This morning, Redhat released a thorough technical write up of the vulnerability including diagnostic steps, affected products and more.]
On Wednesday, 9/25, a vulnerability was discovered in the ‘bash’ shell that is present by default in the Redhat family of Linux distributions. The ubiquitous nature of this utility, and the many aspects of the system that depend on it mean that this vulnerability has far-reaching security implications.
While we do not distribute bash, and this vulnerability has no specific connection to our software, this is a security concern for our entire industry. Thankfully, Redhat and CentOS have worked hard to ensure a patch was available as soon as possible. If you are running our platform on Linux systems we strongly urge you to upgrade to the latest version of Bash immediately.
You can do this very simply with ‘yum update bash’ in CentOS and RedHat, and you can verify that the fix is present by checking the release version with “rpm -qv bash” against this list based on your platform:
If you’re not sure if you’re running Bash, or if the exploit has been patched, take the time to consult your IT director. This is a potentially serious security hole and worth a conversation to make sure your mail servers and other exposed web applications are adequately protected. We feel that the potential fall out from this hack could be rather extensive, so we wanted to help spread the word and do our part to make the Internet a safer place.
Some distribution-specific advisories can be found as follows (By way of DuoSecurity):
While we’re on the topic of email security, check out our ebook on How DMARC is Saving Email today.