Update #3 – Unsurprisingly with all the attention that BASH is now receiving, additional vulnerabilities (CVE-2014-7186 and CVE-2014-7187) have been discovered. They are currently unresolved. For a more detailed write-up, see: http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx – when there are updates available to resolve these issues, I will update this post.

Update #2 – A new BASH package has been released which properly resolves this vulnerability (bash-4.1.2-15.el6_5.2) – this post will be updated to reflect this new information.

Update #1 – according the bug report this vulnerability is still not fully patched (see Comment 23). However, I still recommend updating BASH as directed in this post. When a full bug fix is deployed I will update this post.

A critical security vulnerability has been discovered in BASH which allows for remote execution. This vulnerability is resolved in update bash-4.1.2-15.el6_5.2 (thanks to the RedHat/CentOS team for getting the updates out so quickly).

For more information, see: http://seclists.org/oss-sec/2014/q3/649and https://rhn.redhat.com/errata/RHSA-2014-1293.html

An excellent explanation of this bug can be found here.

To test if your version of BASH is vulnerable, run the following command (thanks to this Reddit post):

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it prints out ‘vulnerable’ – then you are vulnerable.

A tool has been created to remotely test if you’re vulnerable – you can access the BASH ShellShock Test here (thanks Brandon Potter).

To patch is issue, update to the latest version of BASH:

yum clean all && yum update bash

To check which version of BASH is installed, run the following command:

rpm -qa | grep bash

If your version of BASH is earlier than bash-4.1.2-15.el6_5.2 you may be vulnerable.