Stuart Martin
2014-09-25 13:37:50 UTC
Hi All,
The Globus dev team has reviewed all Globus services and Globus Toolkit components to determine the impact of the remote code execution through bash described in CVE-2014-6271. We have created a page where details about this issue will be communicated.
https://support.globus.org/entries/99833293
Our initial assessment has found no possible exploits from this bash vulnerability. However, as a precaution, we recommend that any host with Globus service (e.g. Globus Connect Personal, Globus Connect Server, GridFTP, MyProxy, GSI-OpenSSH, GRAM) to apply the advised patches ASAP.
GSI-OpenSSH users and administrators using OpenSSH's ForceCommand functionality to restrict the remote commands that a user can run should refer to the RedHat security blog (https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/) and article (https://access.redhat.com/articles/1200223) which discusses the potential to bypass command restrictions using this vulnerability.
MyProxy server administrators using bash scripts with myproxy-server call-out functionality (passphrase_policy_program, proxy_extapp, certificate_issuer_program, certificate_extapp, certificate_mapapp, certificate_request_checker, certificate_issuer_checker, or accepted_credentials_mapapp) may be impacted and should promptly apply available patches.
Let us know if you have any questions.
- Globus Dev Team
The Globus dev team has reviewed all Globus services and Globus Toolkit components to determine the impact of the remote code execution through bash described in CVE-2014-6271. We have created a page where details about this issue will be communicated.
https://support.globus.org/entries/99833293
Our initial assessment has found no possible exploits from this bash vulnerability. However, as a precaution, we recommend that any host with Globus service (e.g. Globus Connect Personal, Globus Connect Server, GridFTP, MyProxy, GSI-OpenSSH, GRAM) to apply the advised patches ASAP.
GSI-OpenSSH users and administrators using OpenSSH's ForceCommand functionality to restrict the remote commands that a user can run should refer to the RedHat security blog (https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/) and article (https://access.redhat.com/articles/1200223) which discusses the potential to bypass command restrictions using this vulnerability.
MyProxy server administrators using bash scripts with myproxy-server call-out functionality (passphrase_policy_program, proxy_extapp, certificate_issuer_program, certificate_extapp, certificate_mapapp, certificate_request_checker, certificate_issuer_checker, or accepted_credentials_mapapp) may be impacted and should promptly apply available patches.
Let us know if you have any questions.
- Globus Dev Team