[Update 2 | September 30, 2014, 9:10am CST]
[Update 1 | September 26, 2014, 11:40am CST]
[Original Post | September 25, 2014, 1:45pm CST]
Zimbra is aware and has been closely monitoring the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We recommend that our customers evaluate their systems for this vulnerability and to take immediate action to remediate as patches become available
This flaw affects the Bash shell of Unix-based systems and does not necessarily affect the applications running on top of those operating systems. As for Zimbra’s IT Operations, we are taking the necessary steps to mitigate any risk associated with this flaw as soon as possible.
According to Red Hat’s bugzilla, this is rated urgent for both priority and severity. Following is Red Hat’s description from the same bugzilla entry:
“A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”
- US-CERT and NIST provide a vulnerability summary in the National Vulnerability Database, including known vulnerable software and versions
- Red Hat has issued a patch, though a later post acknowledges the patch is incomplete.
- Debian Security Advisory
- Ubuntu Security Notice
- CentOS announcement
- Novell acknowledgement
- SUSE patch
- Apple has not made an official statement, as of this original post. Though according to Ars Technica, there is an update to their “command line tools.”
Please stay tuned. Zimbra will update this post as we have more information to share.