A new vulnerability was recently identified in the “bash” shell that a default component of most Linux operating systems deployed globally today. This vulnerability – dubbed “Shellshock” - is being compared to what was experienced earlier this year with the Heartbleed bug because of the widespread use of the impacted Linux operating systems.
Shellshock has been assigned the highest risk rating of “10” according to the Common Vulnerability Scoring System (CVSS). Why? The vulnerability can be exploited across the network, it does not require any authentication to exploit, and exploiting this vulnerability is simple.
Unmanaged Customers - Patch Your Systems in the CenturyLink Cloud Immediately
If you have instances running a Linux operating system in CenturyLink Cloud data centers, you are likely affected. Our unmanaged customers are responsible for day-to-day configuration and deployment of these systems, so it is the customer’s responsibility to remediate any affected systems.
We recommend you apply the updates for this vulnerability as quickly as possible. This is especially important for those servers running Apache web servers as there are published exploits already circulating for Apache websites.
Managed Customers – Request Patching via Ticket with Managed Services Help Desk
Customers running managed environments (including Apache) on CenturyLink Cloud will have their systems patched upon request. To initiate a request, open a ticket with the CenturyLink Cloud Managed Services team. CenturyLink hosting engineers and operations are currently working with multiple software vendors to enable the necessary critical patches for quick resolution.
Actions Taken by the CenturyLink Cloud Team
CenturyLink Cloud has assessed our infrastructure and we will be updating all OpenVPN servers with the patches that fix this bug. You will receive additional communication from us when those updates are scheduled. Any additional updates will be posted to this blog article so please check back regularly.
Information on Patches for Each Linux Distribution:
- Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
- Red Hat: https://access.redhat.com/node/1200223
- Debian: https://security-tracker.debian.org/tracker/CVE-2014-6271
- CentOS: http://lists.centos.org/pipermail/centos/2014-September/146099.html
[2014-09-25 9:30AM PT] Original Post
[2014-10-06 11:29AM PST – All externally facing systems including customer OpenVPN servers managed by CenturyLink Cloud have been updated]