Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?

Gernot Hassenpflug gernot.hassenpflug at
Fri Sep 26 23:46:51 EDT 2014

"Cantor, Scott" <cantor.2 at> writes:

> On 9/25/14, 11:02 PM, "Gernot Hassenpflug"
> <gernot.hassenpflug at> wrote:
>>Our company needs me to report on whether there is any vulnerability in
>>the Shibboleth-related software: Apache module and shibd daemon on the
>>SP side, in particular.
> I'm extremely curious as to why. I know that some bugs are things you have
> to prioritize patching, but this one is a raging fire. You don't even
> think about it, you just patch every web server you can get hold of, and
> you're still too late.

Hello Scott,

Thanks for the reply. I realize the above is true, at a technical level,
but in terms of managing problems, tracking solutions, auditing past
logs, and communicating with customers, requires more detail, hence my

Here are a couple of reasons, for reference.

(1) Organizational: 

Customers using SSO must be told what possible levels of security risks
there are/were, including where (in which software, during which
actions, etc.), and audits done where necessary. To decide where company
resources must be allocated, it is important to get details first.

(2) Prioritizing, and application-level patching

OS level patches are critical, but application level patches can be done
more quickly, especially since OS-level patches are not final yet.  (we
emergency-patched our in-house software to prevent use of shell).

(3) Reporting and knowledge-base

For dealing with customer queries, and in-house knowledge base, as for
any case where trouble affects or potentially affects customer services,
information must be collated and recorded for future reference.

>>The shibd daemon communicates through the apache module to the browser,
>>using SAML, so I expect there to be no use of shell environment
>>variables here. However, perhaps the daemon calls a program from the
>>command line at some point, or some related use of environment
> No.

Thank you.

Best regards,
Gernot Hassenpflug
Asahi Net, Inc.
Tokyo, Japan

More information about the users mailing list