The Shellshock Flaw

***Security Alert***

[Update 2 | September 30, 2014, 9:10am CST]

Apple has released at update.

[Update 1 | September 26, 2014, 11:40am CST]

Red Hat has released a full patch.

[Original Post | September 25, 2014, 1:45pm CST]

Zimbra is aware and has been closely monitoring the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We recommend that our customers evaluate their systems for this vulnerability and to take immediate action to remediate as patches become available

This flaw affects the Bash shell of Unix-based systems and does not necessarily affect the applications running on top of those operating systems. As for Zimbra’s IT Operations, we are taking the necessary steps to mitigate any risk associated with this flaw as soon as possible.

According to Red Hat’s bugzilla, this is rated urgent for both priority and severity. Following is Red Hat’s description from the same bugzilla entry:

“A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”

Additional Information:

Please stay tuned. Zimbra will update this post as we have more information to share.

Comments are closed.