On September 24, 2014, CVE-2014-6271  was published, revealing a major issue with the way GNU Bash processes environment variables. More specifically, Bash does not properly parse functions passed in environment variables, allowing trailing code to be executed in the Bash context. This allows an attacker to execute arbitrary code by properly crafting environment variables.
In general, this bug can be triggered over the network without authentication, which makes it extremely sensitive, and is currently ranked with the highest possible CVSS v2 base score of 10, according to the National Vulnerability Database.
A10 Networks has not been able to replicate this condition remotely with A10 Thunder, AX, ID, or EX Series products. However, we are still researching several corner cases and we will update this advisory as we have new information.
However, local exploitation is possible, and we will be, therefore, providing patches to address this issue (see below for information on how to download patches).
There is an ongoing discussion of additional issues stemming from the way Bash parses variable content that are currently tracked under CVE-2014-7169 . Our team is continuously monitoring those developments and, if A10 products are deemed to be vulnerable to any of the issues addressed in CVE-2014-7169, A10 will provide patches for those as well.
|bash: specially-crafted environment variables can be used to inject shell commands 
GNU Bash through version 4.3 is affected with this vulnerability.
Vulnerable versions of Bash are used in A10’s products. Our engineers have been able to validate that in the current configuration, it is possible to execute and trigger this vulnerability locally. For most deployments, this is not an issue since access to the systems is usually authenticated and the operator is already at the highest level of privileges.
We are further investigating the issue and will provide updates as we complete our investigation.
From the point of view of remote exploitation, there are a couple of mitigating factors that suggest this vulnerability may not be triggered; however, we cannot rule this out as a possibility.
The first factor is that none of our web-based management processes use the CGI interface, nor do our other management processes spawn Bash to perform their tasks. This makes it very unlikely that a tainted variable will propagate and be provided in environments where Bash will be executed.
The second mitigating factor is that none of the management interfaces are exposed to the data plane. At this point, the only point of contact would be the management plane which, by definition, is much better guarded and access is limited.