On 24th September, a critical vulnerability in bash, a shell widely used on the UNIX/Linux system, was reported.
This vulnerability known as ShellShock allows an attacker to execute an arbitrary command on an affected system to obtain private information stored in services from the outside. While a fix for the issue is now available, it is still incomplete and other problems remain.
As described above, a remote attacker can write to files on a system even if the fix for CVE-2014-6271 has been applied.
What We’re Doing for This Issue
As soon as we were aware of this issue, we began protecting our services and websites immediately.
As of Sep 26th 05:30 (UTC), we’ve completed updating bash on all of our servers following the workaround for both CVE-2014-6271 and CVE-2014-7169 suggested by AWS and RedHat and other security vendors ( ALAS-2014-419 、Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)).
From the investigations we’ve done, we believe that it is not possible to attack against our services by employing this vulnerability as we don’t expose bash related functionality to users including Git over ssh provided on Backlog. However, as an added precaution, we’ve upgraded bash on all of our servers.