SummaryThe 'Shellshock' (Bashdoor) bash vulnerability found in 2014 does not affect Exinda appliances.
OverviewThe 'Shellshock' (also known as 'Bashdoor') vulnerability found in the bash shell in late 2014 is a set of bugs that allow for exploiters to get credentials or execute their own commands if presented with the opportunity to access a bash script in scenarios where they should not normally have access to bash.
The Exinda appliances are built on a Linux subsystem that includes the bash shell. However, the CLI is built on a separate plane from bash and does not interact with it for any operation, as access to the shell is not allowed by default. Bash is not customer facing; the only way to get to the shell is for Exinda TAC to access it during troubleshooting through use of a restricted license key. Without that key and access, it is not possible to access the bash capabilities of the device. Furthermore, web UI scripts that interact with the system system do not have exploitable bash scripts that can be hijacked and utilized by would be attackers.
As a precaution, versions 6.4.3 Update 12, 6.4.6 and 7.0.1 Update 2 have a new version of bash that was patched after the exploit was found. Any firmware versions later than those (including 6.4.3 Update 14, 6.4.7 and any version of v7.x.x greater than 7.0.1u2) have this unaffected bash shell included.
If using a firmware version older than the three listed above, it is recommended to upgrade to a newer firmware, not just for a precautionary measure, but also due to numerous feature enhancements and bug fixes that have been built into more recent firmware.