Is Clever Cloud Vulnerable to Shellshock?

Did you like [Heartbleed?]({{ site.basepath }}/features/2014/04/08/openssl-101g-update.html) Meet Shellshock — aka CVE-2014-6271 — a new bug discovered this week in the widely used Bash command line interpreter.

First things first

Are you safe at Clever Cloud?

Yes. Yesterday afternoon (September, the 24th), a patch was released by the bash developpers to address this issue.

A member of our team, Kevin Decherf, then submitted an updated bash package with this patch to the distribution we use: exherbo.

The patch was reviewed by several members of the core exherbo team and finally validated by me, both as member of Clever Cloud and of the exherbo core team at around 5PM (CEST).

The update was then propagated inside our Cloud platform and all the critical virtual machines got bash updated today.

What about you, <localhost>?

You really should care about this new vulnerability.

It can compromise especially Apache web servers using CGI scripts with Bash invocation, making your system vulnerable to remote-code injection.
OpenSSH and some DHCP clients are affected as well on machines that use Bash.