On 24th Sep 2014 a vulnerability in the bash shell was made public. It detailed a bug which allowed remote code execution through bash, the main attack vector being CGI scripts which in turn call bash. This includes CGI scripts written in bash and any other language which uses popen() to call bash. The default behaviour on Viper is not to use bash for these calls, preferring sh by design, which is not affected by this bug. Scripts ran via CGI would of only been vulnerable if bash was explicitly specified in the web sites code. A full description of the vulnerability can be found here: http://seclists.org/oss-sec/2014/q3/650

A patch was made available shortly after on the 25th Sep 2014, this patch only fixed part of the bug. An additional patch was released later that day, completing the fix: http://seclists.org/oss-sec/2014/q3/690

After the patch was verified and tested, it was rolled out across the entire A2Z Viper platform. The vulnerability is now fixed on all A2Z-Vipers and no further action is required.