Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?

Gernot Hassenpflug gernot.hassenpflug at
Thu Sep 25 23:02:51 EDT 2014


Since 2014-09-24 there is a vulnerability CVE-2014-6271 reported [1]
regarding vulnerability in Bash shell, for Red Hat and CentOS (versions
4 through 7), explained in [3] by example.

Quote from [2]:
"This issue affects all software that uses the Bash shell and parses
values of environment variables. This issue is especially dangerous as
there are many possible ways Bash can be called by an application. Quite
often if an application executes another binary, Bash is invoked to
accomplish this. Because of the pervasive use of the Bash shell, this
issue is quite serious and should be treated as such."

Our company needs me to report on whether there is any vulnerability in
the Shibboleth-related software: Apache module and shibd daemon on the
SP side, in particular.

The shibd daemon communicates through the apache module to the browser,
using SAML, so I expect there to be no use of shell environment
variables here. However, perhaps the daemon calls a program from the
command line at some point, or some related use of environment

Could someone from the development team confirm whether or not there is
cause for concern or not?



Best regards,
Gernot Hassenpflug
Asahi Net, Inc.
Tokyo, Japan

More information about the users mailing list