A vulnerability was announced on September 24, 2014 that affects a large number of systems using the Linux operating system, or more specifically, using affected versions of the Bash command. The vulnerability, identified as CVE-2014-6271, is now being called “Shellshock” and it potentially affects a larger number of systems than Heartbleed. There are several good articles written on the vulnerability including technical and less technical ones. Subsequent to patches being released for CVE-2014-6271, on September 25, 2014, it was noted that the original patches did not completely fix the issue. Another identifier, CVE-2014-7169, was issued and new patches were released today for it.
What has OneLogin done about Shellshock?
The way OneLogin controls access to production systems nullifies the ability to exploit this vulnerability by internal or external sources. Nevertheless, the version of the command installed on our systems was patched on all our servers within hours of each patch being available.
We will continue to monitor this vulnerability for further developments.