Critical Vulnerabilities to be Aware of in Bash

Mark Bainter
Sep. 25, 2014 by Mark Bainter

shutterstock_214446490_600
[UPDATE 9/26:  This morning, Redhat released a thorough technical write up of the vulnerability including diagnostic steps, affected products and more.]

On Wednesday, 9/25, a vulnerability was discovered in the ‘bash’ shell that is present by default in the Redhat family of Linux distributions.  The ubiquitous nature of this utility, and the many aspects of the system that depend on it mean that this vulnerability has far-reaching security implications.

While we do not distribute bash, and this vulnerability has no specific connection to our software, this is a security concern for our entire industry. Thankfully, Redhat and CentOS have worked hard to ensure a patch was available as soon as possible.  If you are running our platform on Linux systems we strongly urge you to upgrade to the latest version of Bash immediately.

You can do this very simply with ‘yum update bash’ in CentOS and RedHat, and you can verify that the fix is present by checking the release version with “rpm -qv bash” against this list based on your platform:

RHEL5: bash-4.1.2-15.el6_5.1
RHEL6: bash-4.1.2-15.el6_5.1

CentOS5: bash-3.2-33.el5.1
CentOS6: bash-4.1.2-15.el6_5.1

If you’re not sure if you’re running Bash, or if the exploit has been patched, take the time to consult your IT director. This is a potentially serious security hole and worth a conversation to make sure your mail servers and other exposed web applications are adequately protected. We feel that the potential fall out from this hack could be rather extensive, so we wanted to help spread the word and do our part to make the Internet a safer place.

Some distribution-specific advisories can be found as follows (By way of DuoSecurity):

While we’re on the topic of email security, check out our ebook on How DMARC is Saving Email today.

How DMARC Is Saving Email

Related Content

5 Best Practices for Security Notifications

Learn the 5 best practices for security notification emails that product teams can use to build user trust and confidence.

read more

What GoT’s Casterly Rock Can Tell SaaS About Email Security

The defenses and vulnerabilities of castles in Game of Thrones should be a warning for SaaS providers about phishing and email security.

read more

Why Attestations Are Just One Part of Your Cloud Security Program

Attestations are a necessity for any cloud security program. Here’s why you need to look beyond just checking the boxes to ensure your perimeter is secure.

read more

Start sending email in minutes!

The world’s most powerful email delivery solution is now yours in a developer-friendly, quick to set up cloud service. Open a SparkPost account today and get started for free.

Get Started

Send this to a friend