{"$ref":"https://www.cert.ssi.gouv.fr/openapi.json","affected_systems":[{"description":"Bash versions ant\u00e9rieures au 25 septembre 2014","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"GNU Bash 3.2 versions ant\u00e9rieures \u00e0 3.2.52","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"Bash Ubuntu 10.04 LTS versions ant\u00e9rieures \u00e0 4.1-2ubuntu3.2","product":{"name":"Ubuntu","vendor":{"name":"Ubuntu","scada":false}}},{"description":"Bash Ubuntu 12.04 LTS versions ant\u00e9rieures \u00e0 4.2-2ubuntu2.3","product":{"name":"Ubuntu","vendor":{"name":"Ubuntu","scada":false}}},{"description":"Bash Red Hat Enterprise Linux 6 versions ant\u00e9rieures \u00e0 bash-4.1.2-15.el6_5.2, bash-4.1.2-15.el6_5.1.sjis.1, bash-4.1.2-9.el6_2.1, bash-4.1.2-15.el6_4.1","product":{"name":"Red Hat Enterprise Linux","vendor":{"name":"Red Hat","scada":false}}},{"description":"GNU Bash 4.1 versions ant\u00e9rieures \u00e0 4.1.12","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"Bash Red Hat Enterprise Linux 5 versions ant\u00e9rieures \u00e0 bash-3.2-33.el5_11.4, bash-3.2-33.el5_11.1.sjis.1, bash-3.2-24.el5_6.1, bash-3.2-32.el5_9.2","product":{"name":"Red Hat Enterprise Linux","vendor":{"name":"Red Hat","scada":false}}},{"description":"Bash Debian Squeeze versions ant\u00e9rieures \u00e0 4.1-3+deb6u2","product":{"name":"N/A","vendor":{"name":"Debian","scada":false}}},{"description":"GNU Bash 3.0 versions ant\u00e9rieures \u00e0 3.0.17","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"GNU Bash 3.1 versions ant\u00e9rieures \u00e0 3.1.18","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"Bash Ubuntu 14.04 LTS versions ant\u00e9rieures \u00e0 4.3-7ubuntu1.3","product":{"name":"Ubuntu","vendor":{"name":"Ubuntu","scada":false}}},{"description":"GNU Bash 4.2 versions ant\u00e9rieures \u00e0 4.2.48","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"Bash Debian Wheezy versions ant\u00e9rieures \u00e0 4.2+dfsg-0.1+deb7u3","product":{"name":"N/A","vendor":{"name":"Debian","scada":false}}},{"description":"GNU Bash 4.3 versions ant\u00e9rieures \u00e0 4.3.25","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"Bash Red Hat Enterprise Linux 7 versions ant\u00e9rieures \u00e0 bash-4.2.45-5.el7_0.4","product":{"name":"Red Hat Enterprise Linux","vendor":{"name":"Red Hat","scada":false}}},{"description":"GNU Bash 4.0 versions ant\u00e9rieures \u00e0 4.0.39","product":{"name":"N/A","vendor":{"name":"N/A","scada":false}}},{"description":"Bash Red Hat Enterprise Linux 4 versions ant\u00e9rieures \u00e0 bash-3.0-27.el4.2","product":{"name":"Red Hat Enterprise Linux","vendor":{"name":"Red Hat","scada":false}}}],"affected_systems_content":null,"closed_at":"2014-09-30","content":"## Solution\n\nLa vuln\u00e9rabilit\u00e9 CVE-2014-6271 consiste en une injection de commande\nsuivant la d\u00e9finition d'une fonction dans une variable d'environnement.\nDans certains cas, un processus peut h\u00e9riter de variables\nd'environnement provenant d'une machine distante, ce qui rend cette\nvuln\u00e9rabilit\u00e9 exploitable \u00e0 distance. C'est notamment le cas de serveurs\nWeb employant des scripts bash comme CGI-bin, de certains serveurs SSH\net des clients DHCP.\n\nIl est possible de v\u00e9rifier si la version de bash est vuln\u00e9rable avec la\ncommande:\n\n`$ env VAR='() { 0; }; echo danger' bash -c \"echo  bonjour\"`\n\nA l'heure actuelle, certains correctifs sont incomplets en raison d'une\nvuln\u00e9rabilit\u00e9 r\u00e9siduelle (CVE-2014-7169). N\u00e9anmoins le CERT-FR\nrecommande d'appliquer les correctifs pour r\u00e9duire la facilit\u00e9\nd'exploitation. Les derniers correctifs des distributions Debian, Ubuntu\net RedHat corrigent aussi CVE-2014-7169.\n","cves":[{"name":"CVE-2014-7186","url":"https://www.cve.org/CVERecord?id=CVE-2014-7186"},{"name":"CVE-2014-6271","url":"https://www.cve.org/CVERecord?id=CVE-2014-6271"},{"name":"CVE-2014-6277","url":"https://www.cve.org/CVERecord?id=CVE-2014-6277"},{"name":"CVE-2014-7169","url":"https://www.cve.org/CVERecord?id=CVE-2014-7169"},{"name":"CVE-2014-7187","url":"https://www.cve.org/CVERecord?id=CVE-2014-7187"},{"name":"CVE-2014-6278","url":"https://www.cve.org/CVERecord?id=CVE-2014-6278"}],"links":[],"reference":"CERTFR-2014-ALE-006","revisions":[{"description":"version initiale.","revision_date":"2014-09-25T00:00:00.000000"},{"description":"mise \u00e0 jour.","revision_date":"2014-09-26T00:00:00.000000"},{"description":"mise \u00e0 jour.","revision_date":"2014-09-29T00:00:00.000000"},{"description":"mise \u00e0 jour.","revision_date":"2014-09-30T00:00:00.000000"}],"risks":[{"description":"Ex\u00e9cution de code arbitraire \u00e0 distance"}],"summary":"Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans <span class=\"textit\">GNU\nbash</span>. Elle permet \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance.\n","title":"Vuln\u00e9rabilit\u00e9 dans GNU bash","vendor_advisories":[{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 RedHat du 24 septembre 2014","url":"https://access.redhat.com/articles/1200223"},{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 RedHat du 26 septembre 2014","url":"https://rhn.redhat.com/errata/RHSA-2014-1306.html"},{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 Ubuntu USN-2362-1 du 24 septembre 2014","url":"http://www.ubuntu.com/usn/usn-2362-1/"},{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 Debian DSA-3032-1 du 24 septembre 2014","url":"http://www.debian.org/security/2014/dsa-3032"},{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 Debian DSA-3035-1 du 25 septembre 2014","url":"http://www.debian.org/security/2014/dsa-3035"},{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 Ubuntu USN-2364-1 du 27 septembre 2014","url":"http://www.ubuntu.com/usn/usn-2364-1/"},{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 Ubuntu USN-2363-1 du 25 septembre 2014","url":"http://www.ubuntu.com/usn/usn-2363-1/"},{"published_at":null,"title":"Bulletin de s\u00e9curit\u00e9 Ubuntu USN-2363-2 du 25 septembre 2014","url":"http://www.ubuntu.com/usn/usn-2363-2/"}]}