Discussion:
[gt-user] remote code execution through bash CVE-2014-6271
Stuart Martin
2014-09-25 13:37:50 UTC
Permalink
Hi All,

The Globus dev team has reviewed all Globus services and Globus Toolkit components to determine the impact of the remote code execution through bash described in CVE-2014-6271. We have created a page where details about this issue will be communicated.

https://support.globus.org/entries/99833293

Our initial assessment has found no possible exploits from this bash vulnerability. However, as a precaution, we recommend that any host with Globus service (e.g. Globus Connect Personal, Globus Connect Server, GridFTP, MyProxy, GSI-OpenSSH, GRAM) to apply the advised patches ASAP.

GSI-OpenSSH users and administrators using OpenSSH's ForceCommand functionality to restrict the remote commands that a user can run should refer to the RedHat security blog (https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/) and article (https://access.redhat.com/articles/1200223) which discusses the potential to bypass command restrictions using this vulnerability.

MyProxy server administrators using bash scripts with myproxy-server call-out functionality (passphrase_policy_program, proxy_extapp, certificate_issuer_program, certificate_extapp, certificate_mapapp, certificate_request_checker, certificate_issuer_checker, or accepted_credentials_mapapp) may be impacted and should promptly apply available patches.

Let us know if you have any questions.

- Globus Dev Team

Loading...