By now you’re probably aware that a serious Unix (Linux) vulnerability has been discovered. Named ‘Shellshock’, it affects Unix-based operating systems such as Linux and Mac OS X. If exploited, it can be used by hackers to gain remote control of servers and personal computers.
The aim of this post is to outline the steps we’ve already taken, and provide more details on what (if anything) you need to do.
What’s affected?
This has been reported worldwide by the media and isn’t specific to any particular company, so if you have hosting elsewhere and you’re unsure of the steps your web host or server administrator has taken, it’s vital to find out. You will also need to check any hardware you own running a Unix-based OS (e.g. desktops and laptops), and install recommended updates if they allow external SSH connections.
All versions of bash up to and including 4.3 are vulnerable.
All supported Linux distributions are affected and have released patches.
Debian: https://www.debian.org/security/2014/dsa-3035
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html
Fedora: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138687.html
Cent OS: https://lists.centos.org/pipermail/centos-announce/2014-September/020593.html
More information from Red Hat: https://access.redhat.com/articles/1200223
Shared Web Hosting
In terms of your web hosting with Heart Internet, we have kept on top of the exploit and security issues since the vulnerability was first highlighted earlier in the week within the Linux community. If you have a shared hosting account with us, you do not need to take any action.
All Heart Internet infrastructure and shared web hosting servers (Starter Pro, Home Pro, Business Pro and Reseller Pro) were patched on Wednesday as soon as the initial vulnerability CVE-2014-6271 was announced. All Heart Internet infrastructure and shared web hosting servers were patched this morning (Friday) as soon as updates for CVE-2014-7169 were available.
Please rest assured that we will be keeping even closer watch on the situation and will implement any further security patches as needed; any updates will be added to the bottom of this blog post.
VPS, Hybrid Server & Dedicated Servers
If you have a VPS, Hybrid Server or Dedicated Server, these are unmanaged by us by default and you will need to update (and if you’re a Reseller, help/tell your own customers to update) if you haven’t already.
CentOS & Fedora use bash by default. To update:
yum -y update bash
rpm -q –changelog bash | grep -B1 -A1 CVE-2014-7169
This should return something like the following
* Thu Sep 25 2014 Ondrej Oprala <[email protected]> – 4.1.2-15.2
– CVE-2014-7169
Resolves: #1146322
Once you have successfully updated we recommend that you reboot the server to make sure that there are no vulnerable invocations of bash running.
Ubuntu and Debian may not use bash by default. However, you still need to patch as bash is likely to be installed. To do this:
apt-get update && apt-get install –only-upgrade bash
Following the update, you should reboot the server to make sure that there are no vulnerable invocations of bash running.
Summary
Our security engineers apply patches and fix issues within all third party operating systems and code as needed with our systems and shared platforms. Very few attract media attention like Shellshock (and Heartbleed back in April), but in all cases we treat is as a crucial behind-the-scenes task and apply fixes the instant they become available.
We pride ourselves on fast action where security is concerned, and this is something we constantly monitor regardless of how small the bug or how much media attention it gets. From a security perspective, we treat all confirmed (and rumoured) vulnerabilities with the same top priority. If you have any questions or concerns, please raise a ticket with our support team and they will be happy to help out where needed.
Thank you for hosting with us, and I hope this alleviates any concerns you may have.
rpm -q –changelog | grep –B1 –A1 CVE-2014-7169 didn’t work for me but this did the job rpm -q –changelog bash | less
Hi! CentOS VPS user here. Running “yum -y update bash” works fine but when I run “rpm -q –changelog | grep –B1 –A1 CVE-2014-7169” I get an error:
——————————–
[root@vps ~]# rpm -q –changelog | grep –B1 –A1 CVE-2014-7169
grep: unrecognized option ‘–B1’
Usage: grep [OPTION]… PATTERN [FILE]…
Try `grep –help’ for more information.
rpm: no arguments given for query
——————————–
Any idea?
#The centos command above misses the context, i.e the package name bash
rpm -q –changelog | grep –B1 –A1 CVE-2014-7169
#should be
rpm -q –changelog bash | grep ‘CVE-2014-7169’
#the short version picks up the change.
After update bash
rpm -q –changelog | grep –B1 –A1 CVE-2014-7169
returns
rpm: no arguments given for query
Thanks – it is for this fast and professional response that I continue to use heartinternet for my website hosting.
rpm -q –changelog | grep –B1 –A1 CVE-2014-7169
does not work, give error
grep: unrecognized option ‘–B1’
Usage: grep [OPTION]… PATTERN [FILE]…
Try `grep –help’ for more information.
rpm: no arguments given for query
rpm -q –changelog | grep –B1 –A1 CVE-2014-7169
…gives the following error on Centos…
root@ds-12227 [~]# rpm -q –changelog | grep –B1 –A1 CVE-2014-7169
grep: unrecognized option ‘–B1’
Usage: grep [OPTION]… PATTERN [FILE]…
Try `grep –help’ for more information.
rpm: no arguments given for query
Am I doing something wrong?
There seem to be a problem with the command `rpm -q –changelog | grep –B1 –A1 CVE-2014-7169` on Centos – it says `grep: unrecognized option ‘–B1’` – and if I change it to `-B1` (with just one hyphen) – it says the same for the `–A1`. If I change both to single hyphen then I get `rpm: no arguments given for query` – any idea?
Most Mac users should be OK if you’re worried, you can check if your Mac is vulnerable by pasting the following command into Terminal:
env x=’() { :;}; echo vulnerable’ bash -c ‘echo hello’
If you’re OK, you’ll get this back:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x’ hello
OSX Mavericks is the latest version of OS X that might be an issue, if you’re running the OSX Yosemite Beta then you’re fine.
As usual heart internet acts quickly when these issues arise. Thanks for the info
if we use cpanel has this already been done because the
rpm -q –changelog | grep –B1 –A1 CVE-2014-7169 command does not work
Hi Luca,
Sorry, there was a typo in the post (now updated). It should be rpm -q –changelog bash | grep -B1 -A1 CVE-2014-7169
Jenni
Hi John,
We missed ‘bash’ out of the post originally, so it should be:
rpm -q –changelog bash | grep -B1 -A1 CVE-2014-7169
Sorry for the confusion!
Thanks Fiona!
Thanks Frank, our support guys spotted that too – we’ve updated the post 🙂
Hi Seb,
Sorry, we forgot to include ‘bash’! It should read:
rpm -q—changelog bash | grep -B1 -A1 CVE-2014-7169
Apologies again!
Jenni
Thanks Jim, we try our best!
Hi Dee,
In many cases it will be automatic with cPanel, but please contact our support team to double check.
Hi Andrew,
We’ve updated the post because we missed a word out, it should be: rpm -q—changelog bash | grep -B1 -A1 CVE-2014-7169
Sorry for that!
Jenni
Hi Phil,
It should be rpm -q—changelog bash | grep -B1 -A1 CVE-2014-7169 (we missed the ‘bash’ out originally but have updated the post now). Sorry for the inconvenience.
Hi! CentOS VPS user here. Running “yum -y update bash” works fine but when I run “rpm -q—changelog | grep—B1—A1 CVE-2014-7169” I get an error: uknow commad
Thanks Jenni, but it still doesn’t work. The problem is that in your blog entry the double minus is showing as a long dash, and it is losing a space character. If you copy and paste from the blog into the ssl screen it won’t work.
I typed in rpm -q space minus minus changelog… and it worked fine.
rpm -q –changelog bash | grep -B1 -A1 CVE-2014-7169 works absolutely fine now, patched. Thanks
Sorry …Can you please help? I activated the SSH on the server in order to be able to run the commands ..My OS is windows7 therefor I chose PuttY access the linux terminal …when I run ” yum -y update bash ” ..
I get this File “/usr/bin/yum”, line 4, in ?
import yum
File “/usr/lib/python2.4/site-packages/yum/__init__.py”, line 37, in ?
import rpmsack
File “/usr/lib/python2.4/site-packages/yum/rpmsack.py”, line 24, in ?
from packages import YumInstalledPackage
File “/usr/lib/python2.4/site-packages/yum/packages.py”, line 31, in ?
import rpmUtils.arch
File “/usr/lib/python2.4/site-packages/rpmUtils/arch.py”, line 273, in ?
canonArch = getCanonArch()
File “/usr/lib/python2.4/site-packages/rpmUtils/arch.py”, line 269, in getCano nArch
return getCanonX86_64Arch(arch)
File “/usr/lib/python2.4/site-packages/rpmUtils/arch.py”, line 232, in getCano nX86_64Arch
f = open(“/proc/cpuinfo”, “r”)
IOError: [Errno 2] No such file or directory: ‘/proc/cpuinfo’
As for the second command it’s not even found/recognized….
Hi, please raise a ticket with our support team via the following link and they’ll get right back to you: https://customer.heartinternet.uk/manage/ticket.cgi?action=raise_form
Hi, if you copy & paste the code from the blog post above (characters aren’t displaying properly in comments), it should work. Please contact our support team if you’re still having issues 🙂
How long does CentOS VPS take to reboot?
I have been told by support that our VPS and Hybrid Servers will have been automatically patched as they all run WHM/cPanel, is this correct?
Hi James, it depends on a series of factors. Best to ask our support team if you need specifics for your environment.
Hi Mathew, yes that should be right. You can always ask support for specifics for each server if you want to double check.