CVE-2014-7169 vulnerability in GNU and Other Products
Published on September 25, 2014
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
Known Exploited Vulnerability
This GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vulnerability in CVE-2014-6271.
The following remediation steps are recommended / required by July 28, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2014-7169 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2014-7169 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2014-7169
You can be notified by stack.watch whenever vulnerabilities like CVE-2014-7169 are published in these products:
What versions are vulnerable to CVE-2014-7169?
-
GNU Bash
Up to Version 4.3
-
Arista Eos
Version 4.14.0
Fixed in Version 4.14.4f
-
Arista Eos
Version 4.13.0
Fixed in Version 4.13.9
-
Arista Eos
Version 4.12.0
Fixed in Version 4.12.9
-
Arista Eos
Version 4.11.0
Fixed in Version 4.11.11
-
Arista Eos
Version 4.10.0
Fixed in Version 4.10.9
-
Arista Eos
Version 4.9.0
Fixed in Version 4.9.12
-
Oracle Linux
Version 4
-
Oracle Linux
Version 5
-
-
Oracle Linux
Version 6
-
-
Qnap Qts
Version 4.1.1
build_0927
-
Qnap Qts
Version 4.1.1
-
-
Qnap Qts
Fixed in Version 4.1.1
-
Mageia
Version 3.0
-
Mageia
Version 4.0
-
Red Hat Enterprise Linux Desktop
Version 7.0
-
Red Hat Enterprise Linux Server
Version 5.0
-
Red Hat Enterprise Linux (RHEL)
Version 4.0
-
Red Hat Enterprise Linux Scientific Computing
Version 6.0
-
Red Hat Enterprise Linux Workstation
Version 7.0
-
Red Hat Enterprise Linux Server Aus
Version 6.2
-
Red Hat Enterprise Linux Scientific Computing
Version 7.0
-
Red Hat Enterprise Linux (RHEL)
Version 7.0
-
Red Hat Enterprise Linux (RHEL)
Version 6.0
-
Red Hat Enterprise Linux Server
Version 7.0
-
Red Hat Enterprise Linux Workstation
Version 5.0
-
Red Hat Enterprise Linux Server Aus
Version 6.5
-
Red Hat Enterprise Linux Server Tus
Version 6.5
-
Red Hat Enterprise Linux Server Aus
Version 6.4
-
Red Hat Enterprise Linux Desktop
Version 6.0
-
Red Hat Enterprise Linux Server
Version 6.0
-
Red Hat Enterprise Linux (RHEL)
Version 5.0
-
Red Hat Enterprise Linux Workstation
Version 6.0
-
Red Hat Enterprise Linux Server Tus
Version 7.3
-
Red Hat Enterprise Linux Desktop
Version 5.0
-
Red Hat Enterprise Linux Server Aus
Version 7.3
-
Red Hat Enterprise Linux Server Aus
Version 7.4
-
Red Hat Enterprise Linux Eus
Version 7.3
-
Red Hat Enterprise Linux Eus
Version 7.4
-
Red Hat Enterprise Linux Eus
Version 7.5
-
Red Hat Enterprise Linux Server Aus
Version 5.6
-
Red Hat Enterprise Linux Server Aus
Version 5.9
-
Red Hat Enterprise Linux Server Tus
Version 7.6
-
Red Hat Enterprise Linux Server Aus
Version 7.6
-
Red Hat Enterprise Linux Eus
Version 7.6
-
Red Hat Enterprise Linux Server Aus
Version 7.7
-
Red Hat Enterprise Linux Server Tus
Version 7.7
-
Red Hat Enterprise Linux Eus
Version 7.7
-
Red Hat Enterprise Linux Eus
Version 6.5
-
Red Hat Enterprise Linux Eus
Version 5.9
-
Red Hat Enterprise Linux Eus
Version 6.4
-
Red Hat Enterprise Linux Power Big Endian Eus
Version 7.3_ppc64
-
Red Hat Enterprise Linux Power Big Endian Eus
Version 7.4_ppc64
-
Red Hat Enterprise Linux Power Big Endian Eus
Version 7.5_ppc64
-
Red Hat Enterprise Linux Power Big Endian Eus
Version 7.6_ppc64
-
Red Hat Enterprise Linux Power Big Endian Eus
Version 7.7_ppc64
-
Red Hat Enterprise Linux Server From Rhui
Version 7.0
-
Red Hat Enterprise Linux Server From Rhui
Version 6.0
-
Red Hat Enterprise Linux Power Big Endian
Version 7.0_ppc64
-
Red Hat Enterprise Linux Power Big Endian
Version 6.0_ppc64
-
Red Hat Gluster Storage Server On Premise
Version 2.1
-
Red Hat Enterprise Linux Power Big Endian
Version 5.0_ppc
-
Red Hat Enterprise Linux Server From Rhui
Version 5.0
-
Red Hat Enterprise Linux Power Big Endian
Version 5.9_ppc
-
Red Hat Enterprise Linux Power Big Endian
Version 6.4_ppc64
-
Red Hat Enterprise Linux Ibm Z Systems
Version 6.4_s390x
-
Red Hat Enterprise Linux Ibm Z Systems
Version 5.9_s390x
-
Red Hat Virtualization
Version 3.4
-
Red Hat Enterprise Linux Power Big Endian Eus
Version 6.5_ppc64
-
Red Hat Enterprise Linux Ibm Z Systems
Version 6.5_s390x
-
Red Hat Enterprise Linux Ibm Z Systems
Version 7.3_s390x
-
Red Hat Enterprise Linux Ibm Z Systems
Version 7.4_s390x
-
Red Hat Enterprise Linux Ibm Z Systems
Version 7.5_s390x
-
Red Hat Enterprise Linux Ibm Z Systems
Version 7.6_s390x
-
Red Hat Enterprise Linux Ibm Z Systems
Version 7.7_s390x
-
Suse Linux Enterprise Desktop
Version 11
sp3
-
Suse Linux Enterprise Server
Version 11
sp3
vmware
-
OpenSuse
Version 12.3
-
Suse Studio Onsite
Version 1.3
-
Suse Linux Enterprise Software Development Kit
Version 11
sp3
-
Suse Linux Enterprise Server
Version 11
sp2
-
Suse Linux Enterprise Server
Version 10
sp4
-
OpenSuse
Version 13.1
-
OpenSuse
Version 13.2
-
Suse Linux Enterprise Server
Version 12
-
-
Suse Linux Enterprise Software Development Kit
Version 12
-
-
Suse Linux Enterprise Desktop
Version 12
-
-
Suse Linux Enterprise Server
Version 11
sp3
-
-
Suse Linux Enterprise Server
Version 10
sp3
-
Suse Linux Enterprise Server
Version 11
sp1
-
-
Debian Linux
Version 7.0
-
IBM Qradar Vulnerability Manager
Version 7.2.0
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p1
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.7
-
IBM Qradar Vulnerability Manager
Version 7.2.2
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.2
-
IBM Pureapplication System
Version 2.0.0.0
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p5
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.4
-
IBM Security Access Manager Mobile 8 0 Firmware
Version 8.0.0.5
-
IBM Security Access Manager Mobile 8 0 Firmware
Version 8.0.0.3
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.5
-
IBM Qradar Vulnerability Manager
Version 7.2.3
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p6
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.3
-
IBM Qradar Vulnerability Manager
Version 7.2.1
-
IBM Security Access Manager Web 8 0 Firmware
Version 8.0.0.3
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.1
-
IBM Security Access Manager Mobile 8 0 Firmware
Version 8.0.0.1
-
IBM Smartcloud Provisioning
Version 2.1.0
-
IBM Security Access Manager Mobile 8 0 Firmware
Version 8.0.0.2
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p3
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.6
-
IBM Qradar Vulnerability Manager
Version 7.2.4
-
IBM Qradar Risk Manager
Version 7.1.0
-
IBM Security Access Manager Web 7 0 Firmware
Version 7.0.0.8
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p4
-
IBM Security Access Manager Web 8 0 Firmware
Version 8.0.0.5
-
IBM Qradar Security Information Event Manager
Version 7.1.0
-
IBM Security Access Manager Web 8 0 Firmware
Version 8.0.0.2
-
IBM Qradar Security Information Event Manager
Version 7.1.0
mr1
-
IBM Qradar Security Information Event Manager
Version 7.1.0
mr2
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p7
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p8
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p9
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p10
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p11
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p1
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p2
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p3
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p4
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p5
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p6
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p7
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p8
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p9
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p10
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p11
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p12
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p13
-
IBM Qradar Security Information Event Manager
Version 7.2.8
-
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p14
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p15
-
IBM Qradar Security Information Event Manager
Version 7.2.8
p16
-
IBM Smartcloud Entry Appliance
Version 2.4.0
-
IBM Smartcloud Entry Appliance
Version 3.1.0
-
IBM Smartcloud Entry Appliance
Version 3.2.0
-
IBM Smartcloud Entry Appliance
Version 2.3.0
-
IBM Starter Kit For Cloud
Version 2.2.0
-
IBM Software Defined Network Virtual Environments
Fixed in Version 1.2.1
-
IBM Software Defined Network Virtual Environments
Fixed in Version 1.2.1
-
IBM Software Defined Network Virtual Environments
Fixed in Version 1.2.1
-
IBM Qradar Vulnerability Manager
Version 7.2.6
p1
-
IBM Qradar Vulnerability Manager
Version 7.2.6
p2
-
IBM Qradar Vulnerability Manager
Version 7.2.6
p3
-
IBM Qradar Vulnerability Manager
Version 7.2.6
p4
-
IBM Qradar Vulnerability Manager
Version 7.2.6
p5
-
IBM Qradar Vulnerability Manager
Version 7.2.6
p6
-
IBM Qradar Vulnerability Manager
Version 7.2.6
p7
-
IBM Qradar Vulnerability Manager
Version 7.2.8
-
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p12
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p13
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p14
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p15
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p16
-
IBM Qradar Vulnerability Manager
Version 7.2.8
p17
-
IBM Qradar Security Information Event Manager
Version 7.2
-
IBM Qradar Security Information Event Manager
Version 7.2.0
-
-
IBM Qradar Security Information Event Manager
Version 7.2.0
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.0
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.0
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.1
-
-
IBM Qradar Security Information Event Manager
Version 7.2.1
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.1
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.1
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.2
-
-
IBM Qradar Security Information Event Manager
Version 7.2.2
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.2
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.2
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.2
p4
-
IBM Qradar Security Information Event Manager
Version 7.2.3
-
-
IBM Qradar Security Information Event Manager
Version 7.2.3
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.3
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.3
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.3
p4
-
IBM Qradar Security Information Event Manager
Version 7.2.4
-
-
IBM Qradar Security Information Event Manager
Version 7.2.4
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.4
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.4
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.4
p4
-
IBM Qradar Security Information Event Manager
Version 7.2.4
p5
-
IBM Qradar Security Information Event Manager
Version 7.2.4
p6
-
IBM Qradar Security Information Event Manager
Version 7.2.5
-
-
IBM Qradar Security Information Event Manager
Version 7.2.5
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.5
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.5
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.5
p4
-
IBM Qradar Security Information Event Manager
Version 7.2.5
p5
-
IBM Qradar Security Information Event Manager
Version 7.2.5
p6
-
IBM Qradar Security Information Event Manager
Version 7.2.6
-
-
IBM Qradar Security Information Event Manager
Version 7.2.6
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.6
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.6
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.6
p4
-
IBM Qradar Security Information Event Manager
Version 7.2.6
p5
-
IBM Qradar Security Information Event Manager
Version 7.2.6
p6
-
IBM Qradar Security Information Event Manager
Version 7.2.6
p7
-
IBM Qradar Security Information Event Manager
Version 7.2.7
-
-
IBM Qradar Security Information Event Manager
Version 7.2.7
p1
-
IBM Qradar Security Information Event Manager
Version 7.2.7
p2
-
IBM Qradar Security Information Event Manager
Version 7.2.7
p3
-
IBM Qradar Security Information Event Manager
Version 7.2.7
p4
-
IBM Qradar Security Information Event Manager
Version 7.2.8.15
-
IBM Qradar Security Information Event Manager
Version 7.2.9
-
IBM Qradar Security Information Event Manager
Version 7.1.1
-
-
IBM Qradar Security Information Event Manager
Version 7.1.1
p1
-
IBM Qradar Security Information Event Manager
Version 7.1.1
p2
-
IBM Qradar Security Information Event Manager
Version 7.1.1
p3
-
IBM Qradar Security Information Event Manager
Version 7.1.2
-
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p1
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p10
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p11
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p12
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p13
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p2
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p3
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p4
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p5
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p6
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p7
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p8
-
IBM Qradar Security Information Event Manager
Version 7.1.2
p9
-
IBM Infosphere Guardium Database Activity Monitoring
Version 9.0
-
IBM Infosphere Guardium Database Activity Monitoring
Version 9.1
-
IBM Infosphere Guardium Database Activity Monitoring
Version 8.2
-
IBM Workload Deployer
Version 3.1.0
through 3.1.0.7
-
IBM Pureapplication System
Version 1.1.0.0
through 1.1.0.4
-
IBM Pureapplication System
Version 1.0.0.0
through 1.0.0.4
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
-
Canonical Ubuntu Linux
Version 14.04
-
Canonical Ubuntu Linux
Version 10.04
-
Canonical Ubuntu Linux
Version 12.04
-
Novell Zenworks Configuration Management
Version 11.1
-
Novell Zenworks Configuration Management
Version 11
-
Novell Zenworks Configuration Management
Version 10.3
-
Novell Zenworks Configuration Management
Version 11.2
-
Novell Zenworks Configuration Management
Version 11.3.0
-
Novell Open Enterprise Server
Version 11.0
sp2
linux_kernel
-
Novell Open Enterprise Server
Version 2.0
sp3
linux_kernel
-
Checkpoint Security Gateway
Fixed in Version r77.30
-
F5 Networks Big Ip Analytics
Version 11.6.0
-
F5 Networks Big Ip Application Security Manager
Version 11.6.0
-
F5 Networks Big Ip Advanced Firewall Manager
Version 11.6.0
-
F5 Networks Big Ip Global Traffic Manager
Version 11.6.0
-
F5 Networks Big Ip Local Traffic Manager
Version 11.6.0
-
F5 Networks Big Ip Link Controller
Version 11.6.0
-
F5 Networks Big Ip Policy Enforcement Manager
Version 11.6.0
-
F5 Networks Big Ip Edge Gateway
Version 10.1.0
through 10.2.4
-
F5 Networks Big Ip Application Security Manager
Version 11.0.0
through 11.5.1
-
F5 Networks Big Ip Access Policy Manager
Version 11.6.0
-
F5 Networks Big Ip Access Policy Manager
Version 10.1.0
through 10.2.4
-
F5 Networks Big Ip Access Policy Manager
Version 11.0.0
through 11.5.1
-
F5 Networks Big Ip Analytics
Version 11.0.0
through 11.5.1
-
F5 Networks Big Ip Advanced Firewall Manager
Version 11.3.0
through 11.5.1
-
F5 Networks Big Ip Application Acceleration Manager
Version 11.6.0
-
F5 Networks Big Ip Application Acceleration Manager
Version 11.4.0
through 11.5.1
-
F5 Networks Big Ip Local Traffic Manager
Version 11.0.0
through 11.5.1
-
F5 Networks Big Ip Local Traffic Manager
Version 10.0.0
through 10.2.4
-
F5 Networks Traffix Signaling Delivery Controller
Version 4.0.0
through 4.0.5
-
F5 Networks Traffix Signaling Delivery Controller
Version 3.3.2
-
F5 Networks Traffix Signaling Delivery Controller
Version 3.4.1
-
F5 Networks Traffix Signaling Delivery Controller
Version 3.5.1
-
F5 Networks Traffix Signaling Delivery Controller
Version 4.1.0
-
F5 Networks Big Iq Security
Version 4.0.0
through 4.4.0
-
F5 Networks Big Iq Device
Version 4.2.0
through 4.4.0
-
F5 Networks Big Iq Cloud
Version 4.0.0
through 4.4.0
-
F5 Networks Enterprise Manager
Version 3.0.0
through 3.1.1
-
F5 Networks Enterprise Manager
Version 2.1.0
through 2.3.0
-
F5 Networks Big Ip Wan Optimization Manager
Version 11.0.0
through 11.3.0
-
F5 Networks Big Ip Wan Optimization Manager
Version 10.0.0
through 10.2.4
-
F5 Networks Big Ip Webaccelerator
Version 11.0.0
through 11.3.0
-
F5 Networks Big Ip Webaccelerator
Version 10.0.0
through 10.2.4
-
F5 Networks Big Ip Protocol Security Module
Version 11.0.0
through 11.4.1
-
F5 Networks Big Ip Protocol Security Module
Version 10.0.0
through 10.2.4
-
F5 Networks Big Ip Policy Enforcement Manager
Version 11.3.0
through 11.5.1
-
F5 Networks Big Ip Link Controller
Version 10.0.0
through 10.2.4
-
F5 Networks Big Ip Global Traffic Manager
Version 11.0.0
through 11.5.1
-
F5 Networks Big Ip Global Traffic Manager
Version 10.0.0
through 10.2.4
-
F5 Networks Big Ip Edge Gateway
Version 11.0.0
through 11.3.0
-
F5 Networks Big Ip Application Security Manager
Version 10.0.0
through 10.2.4
-
F5 Networks Big Ip Link Controller
Version 11.0.0
through 11.5.1
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
-
Apple Mac Os X
Version 10.0.0
Fixed in Version 10.10.0
-
VMware Vcenter Server Appliance
Version 5.0
-
VMware Vcenter Server Appliance
Version 5.1
update_2
-
VMware Vcenter Server Appliance
Version 5.1
update_1
-
VMware Vcenter Server Appliance
Version 5.1
-
VMware Esx
Version 4.1
-
VMware Vcenter Server Appliance
Version 5.0
update_1
-
VMware Vcenter Server Appliance
Version 5.5
update_1
-
VMware Vcenter Server Appliance
Version 5.5
-
-
VMware Vcenter Server Appliance
Version 5.0
update_2
-
VMware Esx
Version 4.0