I’m not worried about any specific use-case, but I’d rather not have vulnerable software running on SSVMs in general.
John On Sep 30, 2014, at 2:47 PM, Sheng Yang <sh...@yasker.org<mailto:sh...@yasker.org>> wrote: The parameters of system() function have been verified as valid IP/netmask format by script, so I don't think other parameters would be able to slip in in this case. --Sheng On Tue, Sep 30, 2014 at 8:38 AM, Go Chiba <go.ch...@gmail.com<mailto:go.ch...@gmail.com>> wrote: Hi folks, By my digging, ipcalc included system() function call but debian based our system vm are using dash as system shell. So I think this shellshock concern are not directly affected to system vm cgi-bin. right? GO from my iPhone 2014/09/30 10:13、Demetrius Tsitrelis <demetrius.tsitre...@citrix.com<mailto:demetrius.tsitre...@citrix.com>> のメッセージ: http://systemvm-public-ip/cgi-bin/ipcalc is a perl script. -----Original Message----- From: Sheng Yang [mailto:sh...@yasker.org] Sent: Monday, September 29, 2014 5:21 PM To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: Re: Shellshock http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's normal that it cannot be exploited. --Sheng On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < demetrius.tsitre...@citrix.com<mailto:demetrius.tsitre...@citrix.com>> wrote: Do you mean you tried setting the USER_AGENT like in https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard -remote-detection-for-bash-shellshock ? -----Original Message----- From: Ian Duffy [mailto:i...@ianduffy.ie] Sent: Friday, September 26, 2014 6:56 AM To: CloudStack Dev Subject: Re: Shellshock Tried this against the latest system vms built on Jenkins. Didn't get a successful exploited response. Tested against http://systemvm - public-ip/cgi-bin/ipcalc On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2...@gmail.com> wrote: After heart bleed we are Shell shocked http://www.bbc.com/news/technology-29361794 ! It may not affect cloudstack directly as it is a vulnerability that affects bash, and allows the attacker to take control of the system running bash shell. -abhi Stratosec - Secure Finance and Heathcare Clouds http://stratosec.co o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
