How to fix Bash vulnerability in CentOS, RedHat, Fedora, CloudLinux, Ubuntu, Debian or OpenSuse Linux servers : Resolving CVE-2014-6217 Bash "Shell Shock" vulnerability

Highly critical Bash code injection vulnerability CVE-2014-6217 was declared on 24th Sep, and a patch is now available for all popular Linux web hosting servers such as CentOS, RedHat, Fedora, CloudLinux, Ubuntu, Debian and OpenSuse.

If you have a Linux web hosting server, it has Bash, and if you haven't expressly patched it, assume that your server is vulnerable to hack. Linux web hosting servers are typically enabled with CGI modules, and they could allow commands to be passed on to Bash, thus opening the gates to hackers.

First test if your Bash is vulnerable using the below command:

# env x='() { :;}; echo Server is vulnerable' bash -c "echo"

If your server is vulnerable, it will display the message "Server is vulnerable". If your server is secure, the below warning will be shown:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

The engineers in our Proactive Server Management Services detected this threat on 24th, and patched all our Linux web hosting servers with the following steps:

In CentOS / Fedora / RedHat / CloudLinux servers,

Login to terminal as root and execute the command:

# yum -y update bash

In Ubuntu / Debian servers,

Login to terminal as root and execute the command:

# apt-get update && apt-get install bash

In OpenSuse servers,

Login to terminal as root and execute the command:

# zypper patch --cve=CVE-2014-6217
# zypper patch --cve=CVE-2014-7169

If you are not comfortable using a root terminal, consult a systems administrator.

This should protect you from the critical CVE-2014-6217 vulnerability, however, your server will need to be patched again to be fully protected once a solution is available for the related CVE-2014-7169 vulnerability. We will update this post when a patch is available. When it is released, just execute the above steps again.

[ UPDATE ] - Patch for CVE-2014-7169 is now available. So, in case you have already ran the commands above, re-run them again to get the final patch.

Critical vulnerabilities are a fact of web hosting. Bobcares Proactive Server Management prevents zero-day exploits by configuring servers for managed auto-upgrades.

Not sure if your servers are patched? We can check your servers for FREE, and if vulnerable, patch your servers.

Fix my server now!