Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?
gernot.hassenpflug at asahinet.com
Thu Sep 25 23:02:51 EDT 2014
Since 2014-09-24 there is a vulnerability CVE-2014-6271 reported 
regarding vulnerability in Bash shell, for Red Hat and CentOS (versions
4 through 7), explained in  by example.
Quote from :
"This issue affects all software that uses the Bash shell and parses
values of environment variables. This issue is especially dangerous as
there are many possible ways Bash can be called by an application. Quite
often if an application executes another binary, Bash is invoked to
accomplish this. Because of the pervasive use of the Bash shell, this
issue is quite serious and should be treated as such."
Our company needs me to report on whether there is any vulnerability in
the Shibboleth-related software: Apache module and shibd daemon on the
SP side, in particular.
The shibd daemon communicates through the apache module to the browser,
using SAML, so I expect there to be no use of shell environment
variables here. However, perhaps the daemon calls a program from the
command line at some point, or some related use of environment
Could someone from the development team confirm whether or not there is
cause for concern or not?
Asahi Net, Inc.
More information about the users