Yep, working on formal/better instructions. On Sep 26, 2014, at 12:30 PM, David Nalley <da...@gnsa.us<mailto:da...@gnsa.us>> wrote:
I am not sure that we are done with the vulnerabilities; and I think the apt-get is a poor option to tell folks because they are vulnerable again the next time a machine respawns. On Fri, Sep 26, 2014 at 2:56 PM, John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co>> wrote: I just tried some older virtual routers, and they are: root@r-163-VM:~# env x='() { :;}; echo OOPS' bash -c /usr/bin/true OOPS bash: /usr/bin/true: No such file or directory That said, you can only ssh to them from the local hypervisor. Not sure if there’s any exposure on the http side. Running apt-get update && apt-get install bash patches the bash vuln. I’ll put together a formal statement. On Sep 26, 2014, at 6:55 AM, Ian Duffy <i...@ianduffy.ie<mailto:i...@ianduffy.ie><mailto:i...@ianduffy.ie>> wrote: Tried this against the latest system vms built on Jenkins. Didn't get a successful exploited response. Tested against http://systemvm - public-ip/cgi-bin/ipcalc On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2...@gmail.com<mailto:agneya2...@gmail.com><mailto:agneya2...@gmail.com>> wrote: After heart bleed we are Shell shocked http://www.bbc.com/news/technology-29361794 ! It may not affect cloudstack directly as it is a vulnerability that affects bash, and allows the attacker to take control of the system running bash shell. -abhi Stratosec - Secure Finance and Heathcare Clouds http://stratosec.co o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella> Stratosec - Secure Finance and Heathcare Clouds http://stratosec.co o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
