[sssForm]
In September 2014, there were additional CVEs spawned from the initial bash CVE-2014-6271 [6], collectively known as Shellshock bash vulnerabilities. These additional CVEs are addressed in this advisory for historic and legacy release families.
| Item# | Vulnerability ID | Score Source | Score | Summary |
| 1 | CVE-2014-6277 | CVSS 2.0 | 10.0 High | bash: specially-crafted environment variables can be used to inject shell commands [1] |
| 2 | CVE-2014-6278 | CVSS 2.0 | 10.0 High | bash: incorrect parsing of function definitions with nested command substitutions [2] |
| 3 | CVE-2014-7169 | CVSS 2.0 | 10.0 High | bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) [3] |
| 4 | CVE-2014-7186 | CVSS 2.0 | 10.0 High | bash: parser can allow out-of-bounds memory access while handling redir_stack [4] |
| 5 | CVE-2014-7187 | CVSS 2.0 | 10.0 High | bash: off-by-one error in deeply nested flow control constructs [5] |
The table below indicates releases of ACOS exposed to this vulnerability and ACOS releases that address them. ACOS release families not indicated below are unaffected by these vulnerabilities.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
| Releases Affected | Releases Resolved or Unaffected |
|---|---|
| 2.6.1-GR1 – 2.6.1-GR1-Px | 2.7.2-P16, 4.1.0, 4.1.1, 4.1.4-GR1, 5.1.0 |
| 2.6.6-GR1 – 2.6.6-GR1-Px | 2.8.2-P11, 4.1.2, 4.1.4-GR1, 5.1.0 |
| 2.7.0 – 2.7.0-Px | 2.7.2-P16, 4.1.0, 4.1.1, 4.1.4-GR1, 5.1.0 |
| 2.7.1 – 2.7.1-Px | 2.7.2-P16, 4.1.0, 4.1.1, 4.1.4-GR1, 5.1.0 |
| 2.7.2 – 2.7.2-P15 | 2.7.2-P16, 4.1.0, 4.1.1, 4.1.4-GR1, 5.1.0 |
| 2.8.0 – 2.8.0-Px | 2.8.2-P11, 4.1.2, 4.1.4-GR1, 5.1.0 |
| 2.8.1 – 2.8.1-P2 | 2.8.2-P11, 4.1.2, 4.1.4-GR1, 5.1.0 |
| 2.8.2 – 2.8.2-P10 | 2.8.2-P11, 4.1.2, 4.1.4-GR1, 5.1.0 |
| 2.9.1 – 3.2.1-Px (TPS) | 3.2.2-P1 |
| 2.5.0 – 2.6.0 (aGalaxy) | 3.0.1, 3.2.2, 5.0.0 (aGalaxy) |
See the workarounds and mitigations for the affected release described in the security advisory “A10 Vulnerability to "Shellshock Bash" #CVE-2014-6271” [7].
Software updates that address these vulnerabilities are or will be published at the following URL:
http://www.a10networks.com/support/axseries/software-downloads
The following table shares brief descriptions for the vulnerabilities addressed in this document.
| Vulnerability ID | Vulnerability Description |
|---|---|
| CVE-2014-6277 |
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. |
| CVE-2014-6278 |
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. |
| CVE-2014-7169 |
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. |
| CVE-2014-7186 |
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue. |
| CVE-2014-7187 |
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue. |
None
| Revision | Date | Description |
|---|---|---|
| 1.0 | October 1, 2014 |
Initial Publication |
| 1.1 | April 16, 2018 |
Created web page |
| 2.0 | February 17, 2020 |
Refactored advisory for contemporary structure and format. Added affected releases, workaround, vulnerability details, and related links content. |
| 2.1 | March 13, 2020 |
Adjust aGalaxy fix versions |
© Copyright 2020 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.