On September 24, 2014, a vulnerability was revealed in the Bash shell interpreter. The details are described in CVE-2014-6271. Note that there is a follow‑up vulnerability (CVE-2014-7169) that has not been patched as of this writing.
This bug does not affect the NGINX or NGINX Plus software directly, but if you are running on an affected host system, we recommend that you upgrade the copy of bash on that system as soon as possible.
Please refer to your operating system vendor’s instructions. For your convenience, here are a few links:
NGINX Plus AMIs on AWS
The NGINX Plus Amazon Machine Images (AMIs) (Version 1.3) are built on Amazon Linux or Ubuntu, and suffer from this vulnerability. We’re building and testing updated AMIs, and in the interim you need to run the following commands to manually update the bash package on those AMIs:
- For Amazon Linux AMIs:
- For Ubuntu AMIs:
Note that new Amazon Linux‑based instances are automatically updated on startup.
About the Author
Related Blog Posts
Secure Your API Gateway with NGINX App Protect WAF
As monoliths move to microservices, applications are developed faster than ever. Speed is necessary to stay competitive and APIs sit at the front of these rapid modernization efforts. But the popularity of APIs for application modernization has significant implications for app security.
How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
When you need an API gateway in Kubernetes, how do you choose among API gateway vs. Ingress controller vs. service mesh? We guide you through the decision, with sample scenarios for north-south and east-west API traffic, plus use cases where an API gateway is the right tool.
Deploying NGINX as an API Gateway, Part 2: Protecting Backend Services
In the second post in our API gateway series, Liam shows you how to batten down the hatches on your API services. You can use rate limiting, access restrictions, request size limits, and request body validation to frustrate illegitimate or overly burdensome requests.
New Joomla Exploit CVE-2015-8562
Read about the new zero day exploit in Joomla and see the NGINX configuration for how to apply a fix in NGINX or NGINX Plus.
Why Do I See “Welcome to nginx!” on My Favorite Website?
The ‘Welcome to NGINX!’ page is presented when NGINX web server software is installed on a computer but has not finished configuring