Article ID: 123006, created on Sep 25, 2014, last review on Jun 17, 2016

  • Applies to:
  • Operations Automation
  • Plesk for Linux/Unix
  • Virtuozzo
  • Virtuozzo containers for Linux
  • Virtuozzo hypervisor


GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock."

NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.


Please use the automated script to find out if installed version of Bash is vulnerable: BashCheck

NOTE: The latest versions of Bash 4.3 [Ubuntu 14.x, Debian Jessie] produce a false positive warning in the check for CVE-2014-7186 (redir_stack bug) with the previously published script.


Vulnerable machine:

$ sh bashcheck
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18:  6671 Segmentation fault: 11  bash -c "true $(printf '< /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

Updated machine:

$ sh bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs


The Redhat security group fixed shellshock vulnerability in several steps and each step have its own CVE assigned: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.

Security impact and attack vectors' investigation is published on Redhat Security Blog.

The fixed version of bash are released by the OS vendors:

Even though this vulnerability is not in a product of Parallels, it is highly recommended to install the update because it is possible to exploit the system over the network.

Here is the list of articles which you may refer to:

  • - Parallels Automation, Parallels Business Automation - Standard, Parallels Plesk Automation,
  • - Plesk Panel family products,
  • - Server Virtualizaiton products.

Search Words

test.cgi vulnerable





certificate state

bash vulnerability


POACP Hacked!

e0aff7830fa22f92062ee4db78133079 caea8340e2d186a540518d08602aa065 198398b282069eaf2d94a6af87dcb3ff 614fd0b754f34d5efe9627f2057b8642 5356b422f65bdad1c3e9edca5d74a1ae 400e18f6ede9f8be5575a475d2d6b0a6 a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 29d1e90fd304f01e6420fbe60f66f838 a26b38f94253cdfbf1028d72cf3a498b 2897d76d56d2010f4e3a28f864d69223 e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF