This morning a critical vulnerability was announced in GNU Bash. This vulnerability affects versions of CentOS, Fedora, and Red Hat Enterprise Linux (RHEL). 

The Vulnerability

Huzaifa Sidhpurwala has an excellent post on the Red Hat Security Blog that explains the vulnerability and potential attacks. 

In a nutshell:

the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.

If you're wondering "does this affect me?" here's the quick way to find out, as Ryan Lerch pointed out in the Fedora Magazine post:

env x='() { :;}; echo OOPS' bash -c /bin/true

If the shell returns "OOPS" then you're vulnerable. If it returns an error, then you have an updated bash

Getting Updates

If you're running these operating systems, you'll want to update immediately. More information about RHEL updates is on the customer portal. CentOS has an announcement for each release, CentOS 5, CentOS 6, and CentOS 7. Fedora Magazine also has information on the vulnerabiltiy, and information on how to get the updates immediately from Koji.


About the author

Joe Brockmeier is the editorial director of the Red Hat Blog. He also acts as Vice President of Marketing & Publicity for the Apache Software Foundation.

Read full bio